Vulnerability assessments (VAs) and penetration tests (often shortened to “pentests”) are effective techniques for identifying and eliminating risks in a software system. In IT security, a vulnerability is a loophole or weak link in a software system. A penetration test is a planned attack on a software system that simulates the approaches used by real attackers, while a vulnerability assessment is the use of automated scanners to locate loopholes in design, implementation and other facets of a system that could jeopardize the security of sensitive information.
To get the most out of pentests and VAs, you need to establish your goals. Goal setting, the first stage of the process, is your opportunity to define what you want to achieve before you begin working. For example, you may decide to run a penetration test against a new or updated application before rolling it out to all your systems. This way, you can ensure that the application will not open your network to attacks.
In contrast, the automated nature of vulnerability assessments makes it better-suited to regular, proactive use. You can use the results of these assessments to minimize the surface area exposed to attacks, reducing the potential damage from a successful attack at the same time.
To set appropriate goals, you need to gather data about the assets to be tested and their associated risk levels. These assets may include endpoint devices, servers, firewalls or even entire networks. Broadly, you want to determine which assets have the highest risk of being affected by an attack.
Additional risk factors to consider include open ports, active services and the users who have access to any given asset. Minimizing these risk factors reduces the options available to would-be attackers.
Performing the Test
The next step is to perform the test of your choice. Typically, a penetration test is a manual approach, while vulnerability assessments rely more heavily on automated tools. In penetration tests, a security specialist uses a variety of software to identify loopholes in logic, libraries and functions that make an attack possible. In a vulnerability assessment, an automated tool passes various inputs to the application or system being tested. It records the responses it receives to check for vulnerabilities that could be exploited, leading to arbitrary code execution or another security event.
In any case, those performing the test should be aware of any business-related compliance requirements and determine the best time and date to perform the test.
To conclude the test, the tester must reverse any changes made during a simulated attack, returning the network to its original state. The importance of the assets being tested and the findings from the tests performed can form a basis for developing and implementing risk mitigation techniques. The result is a network that is more difficult to attack.