One hundred percent—all of the applications tested by Positive Technologies—had some kind of vulnerability. You might think, “Yeah, but how many of those were real, critical vulnerabilities?” Well, 94 percent of web applications tested contained a high-severity software flaw. Eighty-five percent of those same applications contained at least one confirmed, exploitable vulnerability.
Those are not encouraging numbers—in fact, they’re pretty frightening. How much data do these applications have about us? But these numbers also point to an important distinction in application vulnerabilities—potential threats versus exploitable threats.
How do you easily distinguish between the two? The answer is simple—Vulnerability Assessment and Penetration Testing (VAPT).
Introduction: The backstory on VAPT
Vulnerability Assessment and Penetration Testing (VAPT) may at first sound like a new term to the AppSec scene, but in reality, it’s simply a combination of two common (very important) application security activities. VAPT unites vulnerability assessment testing with penetration testing.
A vulnerability assessment is the examination of your application using a variety of tools and techniques to uncover potential vulnerabilities. This is accomplished through application security testing tools (which are outlined in detail in the resources section below).
Threats are identified, classified, and prioritized as part of the process. Different tools are better at identifying different types of vulnerabilities, so it is important not to rely solely on one tool for vulnerability assessment.
Vulnerability assessment tools are great at pinpointing threats that may expose your application to attack. They identify theoretical vulnerabilities.
But how do you know if these threats are actually exploitable? In the real world, can an attacker gain access to your application through these vulnerabilities? This is where penetration testing becomes invaluable.
Penetration testing (commonly referred to as pen testing) is the process of actively attacking your application to determine if potential vulnerabilities can actually be exploited. In layman’s terms, it is a simulated attack (often done manually, though there are automated options that we recommend) against your application that can be performed against the code and systems in your application, such as APIs and servers.
There are several approaches that can be taken with pen testing:
- External—The attack is focused on systems and assets that are visible to external users and attackers.
- Internal—The application can be attacked from behind the firewall.
- Blind—This simulates a real-time attack, with the tester armed only with the name of the company.
- Double blind—Similar to the blind test, but the security team is not informed of the simulation, testing their ability to respond to a real-time attack.
- Targeted—A training approach to pen testing in which the pen tester and the security team keep each other informed to see how an attacker can get into the application and what steps security can take for a strong defense.
VAPT highlights the important point that no single type of testing can provide comprehensive application security. Both vulnerability assessments and penetration testing are necessary. In fact, dumbing down or skimping on one type of testing opens your application up to vulnerabilities.
There are several steps in a proper VAPT approach, such as:
- Planning the scope—Decide which systems and code will be included in the tests and which testing methods will be used.
- Data gathering—Gather data about the attack target(s).
- Vulnerability detection—Identify potential vulnerabilities and threats to the application. Use tools such as a vulnerability scanner to uncover additional information on the target.
- Gaining and maintaining access—Pen testers attempt to gain access to the application to see if they can, in fact, get in. Once in the system, the tester determines how long they can remain unnoticed and how much damage they can inflict.
- Covering tracks—Any changes made to the application are hidden so it is not obvious that an attack is underway.
- Reporting—Results from VAPT testing must be analyzed and documented. This includes recommendations and prioritization of threats that need to be addressed.
Perfect together: The benefits of VAPT
- Comprehensive application security—You can be confident that your application is thoroughly checked for different types of vulnerabilities, both internally and externally.
- Reputation management—A compromised application is bad for business. Recovery is often a long and slow road. VAPT decreases the chance that an attack will occur.
- Data security—VAPT creates more secure applications, increasing data security and protecting your intellectual property.
- Improved compliance—VAPT testing identifies whether your application is compliant with certain industry standards and regulations, such as PCI-DSS and ISO/IEC 27002. This is necessary if you want to avoid expensive fines.
- Application security is built into the process—Testing your application during development with VAPT makes security part of the process. This is an efficient and responsible way to build a secure application. The alternative (expensive fixes after a threat has been exploited) wastes money and resources.
Resources: VAPT testing tools
- Static Application Security Testing (SAST) tools—Automatically examine the source code, byte code, and application binaries for potential vulnerabilities. Examples include Veracode and CodeSonar.
- Dynamic Application Security Testing (DAST) tools—Simulate a real attacker, approaching the application from the outside to determine which threats are exploitable. A running application is required to use these tools.
- Interactive Application Security Testing (IAST) tools—Combines the benefits of SAST and DAST tools by using information inside the application while it is running to identify vulnerabilities. A caveat is that these tools can negatively impact application performance. Vendors providing IAST tools include Acunetix and Contrast Security.
- Software Composition Analysis (SCA) tools—Analyze third-party source code, libraries, and frameworks used in your application to identify security vulnerabilities and licensing issues. Of course, this means you need to have an updated and accurate list of all third-party components used. Examples include Black Duck and Sonatype.
Penetration testing tools
- Burp Suite—A graphical tool for web application security testing that can detect SQL Injections, Cross-Site Scripting, and other vulnerabilities. There is a free version and a more robust paid option.
- OWASP Zed Attack Proxy (ZAP)—A free tool that helps pen testers identify vulnerabilities.
- Code Pulse—An open-source tool that automatically detects coverage during a pen test. As code is exercised, a visual representation of your application’s attack surface is updated in real-time, informing pen testers which parts of the application have been tested.
- Attack Surface Detector—An open-source tool that automatically identifies all unlinked or hidden endpoints, their parameters, and data types. This data can then be used to pre-seed OWASP ZAP or Burp Suite (both listed above). Attack Surface Detector exists as both a standard command-line interface, and as plugins for ZAP and Burp Suite.
It may seem overwhelming to think about using all of the above tools to manage both vulnerability assessments and penetration testing. Fortunately, there is another tool available that helps make sense of the myriad of results.
Application Vulnerability Correlation (AVC) tools simplify the process of managing results from multiple tools. The more robust AVC tools on the market even offer features that support VAPT by correlating static and dynamic testing results.
- Hybrid analysis—Results from SAST tools and DAST tools are combined, identifying which potential vulnerabilities are actually exploitable. This increases the comprehensiveness of VAPT testing and provides proof that potential vulnerabilities are exploitable. These are the vulnerabilities you need to fix first.
- Escalations—Users can escalate a finding and make notes on how a vulnerability was exploited.
- Deduplication—Results from SAST, DAST, IAST, SCA, and pen testing tools are correlated into one single report. Duplicates are removed, making it easier to digest the results. Findings from manual testing can also be entered into the system, so these results are included in deduplication.
- Remediation management—The specific lines of code containing vulnerabilities are flagged, making remediation easier. Team members can be assigned tasks through a central console, with tracking options to make sure issues are corrected promptly.
- Compliance checks—Automatically check your codebase against regulations such as HIPAA, the DISA-STIG, and the PCI-DSS. Violating lines of code are flagged, and the specific violation is identified.
- Workflow integration—Many AVC tools support integration into the developer environments, such as Eclipse and Jenkins. Developers are alerted to vulnerabilities within their current system rather than introducing another tool to manage.
The union of vulnerability assessments and penetration testing through VAPT is powerful and logical. The list of possible threats is narrowed down to the real culprits, so you know where to focus your attention for maximum application security.