Security // vulnerability assessments & penetration tests
All systems, from commercial appliances to in-house web applications, need to be tested for vulnerabilities before they get deployed in production. Whether it's for the initial release or after a significant update, it’s critical to have experts test the system for security issues. But this process can take different forms, from a basic assessment performed by automated tools to a full intrusion exercise.
Are tools designed to identify known vulnerabilities in operating systems and commercial applications. They can also try basic attacks against custom system parameters where logical thinking is not required. It’s important to note that while vulnerability scanners seem easy to use, they may require a great deal of configuration which can only be done by an expert. Vulnerabilities discovered by vulnerability scanners represent only about 40% of all security issues found in systems. This is partly due to the fact that logical errors cannot be tested by tools. This is especially true for web applications that are very different from one another, making automated attacks more difficult to implement.
But while vulnerability scanners are important, they cannot undertake a vulnerability assessment by themselves. They are only one of many tools and techniques used in security assessments. Well described by Daniel Miessler, Vulnerability Assessments (VA) are designed to yield a prioritized list of vulnerabilities and are suitable for organizations that already understand they are not where they want to be in terms of security. They already know they have issues and simply need help identifying and prioritizing them. The more issues identified the better, so naturally a white box approach should be embraced when possible. The assessment deliverable is, most importantly, a prioritized list of discovered vulnerabilities and recommendations.
Pen Tests for short are designed to achieve a specific, attacker-simulated goal and should be requested by organizations that are already at their desired security posture. They are excellent at proving or disproving misuse cases and at confirming the security level of a system from an attacker’s point of view. The penetration test deliverable is a report of how security was breached in order to reach the agreed-upon goal and more importantly, how to remediate.
In a nutshell, the goal of a vulnerability assessment is to identify as many vulnerabilities as possible with minimum exploitation, while the goal of a penetration test is to go as deep as possible for each misuse case with full exploitation of discovered vulnerabilities. Ideally, VAs should be done before each release while pen tests should be used to confirm that the recommendations listed in the VA report were implemented properly.