top space  top space  top space  top space  top space       Visualizza il sito in italiano Visualizza il sito in inglese

Vulnerability Assessment and Penetration Testing: tools to evolve


Over the past years, literature concerning these two proactive security services has been largely disseminated and there is an online abundance of definitions, articles and glossaries that technically describe their characteristics, differences and scope in relation to laws and international schemes that require the employment of either one or the other.
Nonetheless, despite instant availability of information, the choice between these two tools still represents a crucial issue for the Customer that wants to focus on assessing the real security posture of its business processes.
The following diagram illustrates the various stages of the process that leads to achievement of this goal in relation to the degree of attention dedicated to security and the actual security posture:
Vulnerability Assessment and Penetration Testing: tools to evolve 1-2
The most common scenario is represented by a Customer with a medium/low maturity level (exemplified by the blue square in the above diagram) that is starting to become aware of its exposure to threats. A detailed analysis of the security posture will lead to the necessary level of attention and enable remediation.

A second scenario is represented by a Customer that has already achieved a higher maturity level (depicted by the green square in the above diagram) and wants to gain control and maintain its acquired security posture through a process of continuous improvement.

Combined use of Vulnerability Assessment and Penetration Testing (from which the necessary remediation activities are derived) in both the above-mentioned examples is crucial for achieving the described goals.

In detail:

Vulnerability Assessment

It allows to obtain a list of known vulnerabilities immediately identifiable in respect to a specific target (software vulnerabilities, default credentials, etc.) with the aim of remediation through priority assignment and through remediation tasks carried out in a short period.
It is based on a semi-automatic analysis (during which a Security Advisor has to operate with his own expertise in order to eliminate false positives and deliver the final report) aimed at revealing potential vulnerabilities (lack of software updates, invalid certificates, unnecessary open network ports, etc.). The Vulnerability Assessment tool provides the simulation of a generic low profile attack delivered in an automatic way (malware, virus, script kiddie). However, it does not consider the following key factors: flaws determined by management of complex applications, unusual configurations that cause risks that may not be immediately detectable, accountability of user actions, architectural or process issues, obsolete or, on the other hand, cutting-edge technologies, etc.

Penetration Test

It depicts methods of violation of a previously identified target and assesses the risks for the environment in which it had been deployed. The aim is that of remediation at the source of the issue acting on all the factors exploited by the attacker (networks, systems, applications, users, physical locations, etc.) by testing one’s security posture through exposure to attacks by experts.
The Penetration Test (obviously integrated with the Vulnerability Assessment) allows systemic, consistent, and repeatable assessments (if applied in full respect of a shared methodology) through numerous attack vectors of the feasibility of exploitation of the detected vulnerabilities by an ethical hacker. Correlating various vulnerabilities it is possible to determine and technically prove exposure to risks (service interruption, data damage or theft, defacement, etc.), also analysing all vulnerabilities due to application logic or process flaws, which are not verifiable through automatic or semi-automatic analysis.

These two tools are therefore very different but they both contribute, each in its own way, in delineating a highly precise picture of the real security state at the moment in time in which they are applied.

The Customer who is starting to take into consideration security issues will begin by analysing the results derived from the execution of a Vulnerability Assessment and a Penetration Test and approaching the subsequent remediation plan.

The Customer who has already reached its maturity, instead, having already passed the stage described above, tends to want to maintain over time the level of security achieved by keeping a high level of attention. This can be achieved through the introduction of a process that mandates the execution of several Vulnerability Assessment tasks at fixed intervals (e.g. quarterly) combined with a Penetration Test to be executed at least on an annual basis. It is a good practice which is also followed by international standards such as PCI DSS and ISO/IEC 27001.

The following diagram illustrates the two diffent ways of using these instruments, according to the degree of attention devoted to security and the actual security posture acquired:
Vulnerability Assessment and Penetration Testing: tools to evolve 2-2
The task of a Security Advisory Company is therefore being able to detect the correct posture of the Customer, according to its degree of attention to security and its actual state, then lead it through the various maturity stages until the adoption of a process that put it in a position to govern its own security in order to obtain the maximum benefits from the correct use of the available tools.

A task that a Security Advisory Company will satisfy through its talent, professionalism, reputation, and references.