Vulnerability Assessment and Penetration Testing (VAPT)

  • by Yatin Jog
  • 11 Months ago

Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.


Vulnerability Assessment and Penetration Testing (VAPT) provides enterprises with a more comprehensive application evaluation than any single test alone. Using the Vulnerability Assessment and Penetration Testing (VAPT) approach gives an organization a more detailed view of the threats facing its applications, enabling the business to better protect its systems and data from malicious attacks. Vulnerabilities can be found in applications from third-party vendors and internally made software, but most of these flaws are easily fixed once found. Using a VAPT provider enables IT security teams to focus on mitigating critical vulnerabilities while the VAPT provider continues to discover and classify vulnerabilities.


Vulnerability Assessment Process Block Diagram


Setup and Scoping – The most important phase of a solid information security assessment. This is also known as scoping. Always consider external systems, internal systems and systems hosted by third parties in the cloud, website, portals, applications and infrastructure.

Setup and Scoping phase consist of following key activities

  • Begin Documentation
  • Secure Permission
  • Update Tools
  • Configure Tools
  • Defining and classifying network or System resources.
  • Assigning priority to the resource( Ex: – High, Medium, Low)
  • Identifying potential threats to each resource.
  • Developing a strategy to deal with the most prioritize problems first.
  • Defining and implementing ways to minimize the consequences if an attack occurs.


Testing – Start with vulnerability scans, sift through the scanner findings, perform manual analysis and see what’s vulnerable to attack in the context of your environment and business. This phase should include password cracking, wireless network analysis and especially email phishing.

Testing phase consist of following key activities

  • Run the tools
  • Try different payloads


Reporting – A clear and concise security assessment report that outlines prioritized findings and recommendations. Common Vulnerability Scoring System (CVSS) is a very common scoring system used in reports to segregate critical, high, moderate and low vulnerabilities.


Resolution – perform a remediation validation of critical and high-priority findings as a follow-up to your security assessment, 30 to 45 days after the report has been delivered and the findings have been assigned.



Vulnerability analysis consists of following steps:

  • Defining and classifying network or system resources
  • Assigning relative levels of importance to the resources
  • Identifying potential threats to each resource
  • Developing a strategy to deal with the most serious potential problems first
  • Defining and implementing ways to minimize the consequences if an attack occurs.


If security holes are found as a result of vulnerability analysis, a vulnerability disclosure may be required. The person or organization that discovers the vulnerability, or a responsible industry body such as the Computer Emergency Readiness Team (CERT), may make the disclosure. If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly.


The third stage of vulnerability analysis (identifying potential threats) is sometimes performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process provides guidelines for the development of countermeasures to prevent a genuine attack. These type of exercises are known as IT security audits or penetration tests or Information security assessment.


Information security assessments can be effective for identifying and fixing issues in your enterprise’s policies before someone exploits them. Take the time necessary to properly plan out your information security assessment, ensure the work is completed and see to it that the proper staff members in IT, development, management and elsewhere are made aware of the findings so that the issues can be addressed.


No good information security assessment program ever got off the ground or succeeded long term without the support of management. It’s as simple as that. If leadership is not willing to invest the resources required to take an honest look at their enterprise information systems environment, then everything else will be an uphill battle. Focus on getting — and keeping — the right people on board. The onus is not on management, but rather on IT and security staff members and leadership.



What is difference between VA and PT

Vulnerability assessment tools discover which vulnerabilities are present, but they do not differentiate between flaws that can be exploited to cause damage and those that cannot. Vulnerability scanners alert companies to the preexisting flaws in their code and where they are located. Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible and identify which flaws pose a threat to the application. Penetration tests find exploitable flaws and measure the severity of each. A penetration test is meant to show how damaging a flaw could be in a real attack rather than find every flaw in a system. Together, penetration testing and vulnerability assessment tools provide a detailed picture of the flaws that exist in an application and the risks associated with those flaws.


-Yatin Jog

  • facebook
  • googleplus
  • twitter
  • linkedin
  • linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *