How to Perform Pentests and Vulnerability Assessments

Vulnerability assessments (VAs) and penetration tests (often shortened to “pentests”) are effective techniques for identifying and eliminating risks in a software system. In IT security, a vulnerability is a loophole or weak link in a software system. A penetration test is a planned attack on a software system that simulates the approaches used by real attackers, while a vulnerability assessment is the use of automated scanners to locate loopholes in design, implementation and other facets of a system that could jeopardize the security of sensitive information.

Setting Goals

To get the most out of pentests and VAs, you need to establish your goals. Goal setting, the first stage of the process, is your opportunity to define what you want to achieve before you begin working. For example, you may decide to run a penetration test against a new or updated application before rolling it out to all your systems. This way, you can ensure that the application will not open your network to attacks.

In contrast, the automated nature of vulnerability assessments makes it better-suited to regular, proactive use. You can use the results of these assessments to minimize the surface area exposed to attacks, reducing the potential damage from a successful attack at the same time.

To set appropriate goals, you need to gather data about the assets to be tested and their associated risk levels. These assets may include endpoint devices, servers, firewalls or even entire networks. Broadly, you want to determine which assets have the highest risk of being affected by an attack.

Additional risk factors to consider include open ports, active services and the users who have access to any given asset. Minimizing these risk factors reduces the options available to would-be attackers.

Performing the Test

The next step is to perform the test of your choice. Typically, a penetration test is a manual approach, while vulnerability assessments rely more heavily on automated tools. In penetration tests, a security specialist uses a variety of software to identify loopholes in logic, libraries and functions that make an attack possible. In a vulnerability assessment, an automated tool passes various inputs to the application or system being tested. It records the responses it receives to check for vulnerabilities that could be exploited, leading to arbitrary code execution or another security event.

In any case, those performing the test should be aware of any business-related compliance requirements and determine the best time and date to perform the test.

Completion

To conclude the test, the tester must reverse any changes made during a simulated attack, returning the network to its original state. The importance of the assets being tested and the findings from the tests performed can form a basis for developing and implementing risk mitigation techniques. The result is a network that is more difficult to attack.

Featured eBook
Cloud Security: Keeping Serverless Data Safe

Cloud Security: Keeping Serverless Data Safe

Serverless computing has emerged as one of the fastest growing cloud services mainly because it enables developers to write less code. Rather than having to write the code to process analytics as a batch job within the application, for example, developers increasingly are making use of functions, a small piece of code that, when invoked, ... Read More
Security Boulevard
Shomiron Dasgupta

Shomiron Dasgupta

With his extraordinary skillset as an intrusion analyst and immense passion for tech advancements, he has been building threat detection systems for close to two decades and has established partners in 14 countries across several industries like healthcare, insurance, transport, banking, and media. Prior to founding and developing DNIF, a product that delivers quality attack detection products and services to its customers, he worked with ICICI Infotech Ltd. as a Senior Consultant, where his core responsibility was to solve critical cybersecurity challenges faced by customers. Shomiron, a TedX speaker, is also an eminent speaker at many industry events including DSCI (Data Security Council of India) and SACON (Sálim Ali Centre for Ornithology and Natural History). He is an alumnus of St. Xavier’s college. Outside the tech world, he is a trained mountaineer with expedition experience in the high Himalayas.

shomiron-dasgupta has 3 posts and counting.See all posts by shomiron-dasgupta