Recently, we were asked by a client what VAPT meant. VAPT is an acronym for Vulnerability Assessment and Penetration Testing. This is a broad term which can refer to many different types of security testing, so we’ll dig a bit deeper into different services that could be referred to as VAPT, with the goal of ensuring you choose the best type of assessment for your program.
The Basics of VAPT
A vulnerability scan is an automated test using off-the-shelf software. The scan will look across you network for vulnerabilities that it can identify. This can be either an external scan targeting your network perimeter or an internal scan looking at all of your internal systems that are not exposed to the Internet. Scanners use a database of known vulnerabilities and their associated indicators to determine whether a system is vulnerable or not, then it will report it and move on without truly validating the vulnerability or determining its risk.
Vulnerability scans have two major advantages. First, they are cheap. Although there are some free scanners out there, a professional scan will cost you around $1,000 – $4,000 depending on the size of your network. Second and one of the reasons they are cheaper, they are automated, so a professional needs to configure the scan and validate the reported findings, but does not need to spend any additional time. Many compliance standards require quarterly vulnerability scans to ensure you are actively identifying vulnerabilities in your network on a regular basis. These scans can also validate that your patch management process, hardening process, and other security controls are working as expected.
A penetration test, by contrast, consists of a highly skilled engineer, or ethical hacker, emulating an attacker trying to gain access to your network or your sensitive data. The engineer will abide by agreed upon rules of engagement, which will set the scope/targets and formalize the rules that must be followed to avoid problems. Similar to a vulnerability scan, penetration tests can be external or internal, but they can also be highly customized or targeted at specific areas or targets, like with a web application penetration test.
The penetration test will go much further than just a simple scan, though. While an engineer may do some automated scanning that includes a vulnerability scan to get started and speed up the test, they will weed-out false positives and use those scan results as part of real exploit attempts to gauge risk. A vulnerability scan will never exploit a vulnerability, leading to potential false positives and misunderstood risk. Because the engineer will demonstrate the risk of vulnerabilities by actively exploiting them during a penetration test, a penetration test can demonstrate risk far better than a vulnerability scan.
Why do you need VAPT?
Both vulnerability scans and penetration tests are an important part of a mature information security program. Vulnerability scans are cheaper and automated, meaning you can run them regularly without consuming resources. As a general guideline, vulnerability scans should be run at least once a quarter, and after any major change to a system or the network. This will allow you to fix any issues that may have fallen through the cracks.
Vulnerability scans, should not be used instead of penetration testing. Vulnerability scans do not cover many techniques used by attackers to gain access to your network, such as password attacks. They also do not adequately demonstrate risk, leading to something like directory browsing being discovered on a system that discloses millions of patient records, and being rated a “Low” priority because the scanner can’t identify ePHI. Penetration testing should be performed in conjunction with vulnerability scans, with most standards recommending penetration testing be performed at least annually.
Choosing a VAPT Provider
Selecting a VAPT vendor can be a pivotal moment for your security program. Balancing affordability, expertise, and reliability is another juggling act when it comes to choosing a VAPT provider. We’ve covered some key questions you should be asking potential vendors.
Additionally, you should ensure your chosen penetration testing provider, as well as the engineers that will be working on your project, have the proper certifications and/or expertise. As a CREST-accredited provider of penetration testing services, Triaxiom can be trusted to meet your VAPT requirements. Our engineers are all OSCP’s and hold the top certifications within the industry.