Vulnerability Assessment and Penetration Testing Comparison

  • Jignesh C Doshi
  • Bhushan Trivedi

ABSTRACT

Business using internet has grown drastically in past decade. Attacks on web application have increased. Web application security is a big challenge for any organizations as result of increasing attacks. There exists different approaches to mitigate various security risks are defensive coding, hardening (Firewall), Monitoring and auditing. This solutions found more towards prevention of attacks or of monitoring types of. Vulnerability assessment and Penetration testing are two approaches widely used by organizations to assess web application security. Both solutions are different and complimentary to each other. In this paper comparison of these two approaches are provided. Authors found that penetration testing is better compare to vulnerability assessment as it exploits vulnerability, while vulnerability assessment is superior in terms of coverage over penetration testing.

General Terms

Vulnerability Measurement, Penetration Testing

Keywords

Attack, Vulnerability, Security Risk, VAPT,

1. INTRODUCTION

Web application usage has increased as more and more services are available on web. Business using Web applications is also increasing day by day. On other side, web application based attacks have increased. Web application have become main target of attackers. Major impact of attacks is data loss or financial loss or reputation loss.

Various types of countermeasures exists to protect system against attacks like defensive coding, firewall, Intrusion detection system etc. [15]. The solution exists in two categories: proactive and reactive. To secure web applications, thorough study of vulnerabilities is required. Study will help in taking effective actions. Vulnerability measurement and Penetration testing are widely used approaches by organizations for web application security assessment.

In this paper, authors have compared vulnerability assessment and penetration testing.

The rest of the paper is organized as follows. Vulnerability assessment is discussed in section 2, Penetration testing is discussed in Section 3. Section 4 describes comparison between vulnerability assessment and penetration testing. Conclusion is described in section 5.

2. Current Web Application Security Trends

The number of internet users and websites are increasing rapidly in recent years [9]. Approximately 66% of web applications have problem as per Gartner. According to sophisticated vulnerability assessment tools 60% vulnerabilities can be found in most of web applications [12].

Security measures most commonly applied for web application security are firewalls, Intrusion Detection System (IDS), Anti-virus System and defensive coding [14][15]. This solution either requires developer skills or efforts in common [15]. These solutions provide a way to assess system, while organizations need a way to assess security countermeasure assessment. It is also necessary to assess web application periodically against security risks in order to take effective actions.

3. Vulnerability Assessment

Vulnerability is a weakness or flaw in a system. Reasons for vulnerability existence are weak password, coding, input validation, misconfiguration etc. Attacker tries to discover vulnerability and then exploit it.

Vulnerability assessment is a proactive and systematic strategy to discover vulnerability. It is used to discover unknown problems in the system. It is also required by industry standard like DSS PCI from compliance point of view.

Vulnerability assessment is achieved using scanners. It is a hybrid solution, which combines automated testing with expert analysis.

Figure 1: Vulnerability Assessment Process

Vulnerability assessment is a one step process ( Refer to figure 1). We will learn more details about vulnerability assessment in section 5.

4. Penetration Testing

A penetration testing evaluates the security of a computer system or network by simulating an attack. It is a proactive and systematic approach for security assessment.

Figure 1: Penetration Testing Process

Penetration testing is a two steps process (refer to figure 2). We will learn more details about penetration in next section.

5. Comparison

5.1 Generic

 

Vulnerability

Assessment

Penetration Testing

Working

Discover vulnerabilities

Discover and exploit vulnerabilities

Alerts pre-existing flaws found in code

Shows how damaging flaws pose a threat to application

Do not differentiate between flaws that can cause damage or not

Gives detail picture of flaws found in application with risk associated with it

Mechanism

Discovery & Scanning

Simulation

Process

One step :

Find vulnerability

Two step process: Find and exploit vulnerability

Focus

Breadth over depth

Depth over breadth

Type

Hybrid solution

One solution for multiple vulnerabilities testing

Coverage of completeness

High

Low

Defend ability

Medium

High

Control

Detective control, used to detect when equipment is compromised.

Preventative control used to reduce exposures

Cost

Low to moderate

High

Performed by

In house staff

Attacker, Pen tester

 

5.2 Resource Requirements

 

Vulnerability Measurement

Penetration Testing

Internal Resource Requirement

Medium

Low

External Resource Requirement

High

High

Tester Knowledge

High

Low

 

5.3 Testing

 

Vulnerability Measurement

Penetration Testing

Testing of other security Investments

Not possible

Determine whether other security investments are functioning properly or not

Security Risk Assessment

Not possible

Provide security risk assessment as mimics attacks just like attacker

Testing

Does not simulate attacks

Simulates real world attacks

How often to run

Continuously, especially after new equipment is loaded

Periodically

5.4 Results

 

Vulnerability Assessment

Penetration Testing

Reports

Comprehensive baseline of what vulnerabilities exist and changes from the last report

Short and to the point, identifies what data was actually compromised

Metrics

Lists known software vulnerabilities that may be exploited

Discovers unknown and exploitable exposures to normal business processes

Results

Provides partial evaluation of vulnerabilities

Provides complete evaluation of vulnerabilities

 

5.5 Limitations

Major limitations of Vulnerability Assessments are:

ï‚· Cannot identify potential access path

ï‚· Provides false positive

ï‚· Requires high technical skills for tester

ï‚· Hybrid solution

ï‚· Cannot exploit flaws

Major limitations of Penetration testing are:

ï‚· Identifies potential access paths

ï‚· Identifies only those which poses threats

ï‚· May not identify obvious vulnerability

ï‚· Cannot provide information about new vulnerabilities

ï‚· Cannot identify server side vulnerabilities

6. Conclusion

With the exception of coverage, penetration testing is superior to vulnerability management.

Key benefits of penetration testing over vulnerability assessment are:

  • Technical capability required in penetration testing is low compare to vulnerability assessment
  • Can be used runtime
  • With penetration testing we can detect, confirm and exploit vulnerability.
  • With penetration testing can determine the resulting impact on the organisation.

For effective security, it is important to understand vulnerability in details.

Both are complimentary strategies to each other and proactive. We suggest to use both together.

7. REFERENCES

  1. Vulnerability Assessment and Penetration Testing: http://www.veracode.com/ security/vulnerability-assessment-and-penetration-testing
  2. John Barchie, Triware Net world Systems, Penetration Testing vs. Vulnerability Scanning: http://www.tns.com/PenTestvsVScan.asp
  3. Penetration Testing Limits http:// www.praetorian.com/blog/penetration-testing-limits
  4. Vulnerability Analysis, http://www.pentest-standard.org/index.php/ Vulnerability Analysis
  5. Open Web Application Security Project, https://www.owasp.org/index.php/Category: Vulnerability
  6. Penetration Testing: http://searchsoftwarequality .techtarget.com/definition/penetration-testing
  7. Vulnerability Assessment and Penetration Testing: http://www.aretecon.com/aretesoftwares
  8. Ankita Gupta, Kavita, Kirandeep Kaur: Vulnerability Assessment and Penetration Testing,
  9. International Journal of Engineering Trends and Technology- Volume4 Issue3- 2013, ISSN: 2231-5381 Page 328-330
  10. Konstantinos Xynos, Iain Sutherland, Huw Read, Emlyn Everitt and Andrew J.C. Blyth: PENETRATION TESTING AND VULNERABILITY ASSESSMENTS: A PROFESSIONAL APPROACH, Originally published in the Proceedings of the 1st International Cyber Resilience Conference, Edith Cowan University, Perth Western Australia, 23rd August 2010 available at : http://ro.ecu.edu.au/icr/16
  11. You Yu, Yuanyuan Yang, Jian Gu, and Liang Shen, Analysis and Suggestions for the Security of Web Applications,, International Conference on Computer Science and Network Technology, 2011, 978-1-4577-1587-7/111, IEEE
  12. Andrey Petukhov, Dmitry Kozlov, Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing, https://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf accessed on 31st January 2015
  13. Parvin Ami, Ashikali Hasan: Seven Phrase Penetration Testing Model,International Journal of Computer Applications (0975 – 8887),Volume 59– No.5, December 2012
  14. Aileen G. Bacudio, Xiaohong Yuan, Bei-Tseng Bill Chu, Monique Jones,an overview of penetration testing, International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011 DOI :10.5121/ijnsa.2011.3602
  15. Jignesh Doshi, Bhushan Trivedi, Assessment of SQL Injection Solution Approaches, International Journal of Advanced Research in Computer Science and Software Engineering, Volume 4, Issue 10, October 2014 ISSN: 2277 128X

1

Place your order
(550 words)

Approximate price: $22

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our Guarantees

Money-back Guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism Guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision Policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy Policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation Guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more