Vulnerability Assessment and Penetration Testing Comparison

Vulnerability Assessment and Penetration examen ComparisonJignesh C DoshiBhushan TrivediABSTRACTBusiness using internet has grown drastically in foreg unity decade. Attacks on web applications programme have increased. weathervane application gage is a big challenge for any organizations as result of increase attacks. there exists different approaches to mitigate various protective covering risks are defensive coding, hardening (Firewall), Monitoring and auditing. This solutions found more than towards prevention of attacks or of monitoring types of. Vulnerability perspicacity and Penetration testing are two approaches widely used by organizations to assess web application security. Both solutions are different and complimentary to to each one different. In this paper comparison of these two approaches are provided. Authors found that perceptiveness testing is better compare to photograph estimate as it exploits photograph, while vulnerability assessment is superior in terms of coverage over penetration testing.General TermsVulnerability Measurement, Penetration TestingKeywordsAttack, Vulnerability, Security Risk, VAPT,1. INTRODUCTIONWeb application usage has increased as more and more services are available on web. Business using Web applications is also increasing day by day. On other side, web application based attacks have increased. Web application have become main target of attackers. major(ip) impact of attacks is data loss or financial loss or reputation loss.Various types of countermeasures exists to protect system against attacks like defensive coding, firewall, Intrusion espial system etc. 15. The solution exists in two categories proactive and reactive. To secure web applications, thorough study of vulnerabilities is required. Study will help in winning effective actions. Vulnerability measurement and Penetration testing are widely used approaches by organizations for web application security assessment.In this paper, authors have co mpared vulnerability assessment and penetration testing.The rest of the paper is organized as follows. Vulnerability assessment is discussed in section 2, Penetration testing is discussed in separate 3. Section 4 describes comparison between vulnerability assessment and penetration testing. Conclusion is described in section 5.2. Current Web Application Security TrendsThe consider of internet users and websites are increasing rapidly in recent years 9. Approximately 66% of web applications have problem as per Gartner. According to in advance(p) vulnerability assessment tools 60% vulnerabilities can be found in most of web applications 12.Security measures most commonly applied for web application security are firewalls, Intrusion Detection System (IDS), Anti-virus System and defensive coding 1415. This solution either requires developer skills or efforts in common 15. These solutions provide a way to assess system, while organizations need a way to assess security countermeasure assessment. It is also necessary to assess web application periodically against security risks in order to take effective actions.3. Vulnerability AssessmentVulnerability is a weakness or flaw in a system. Reasons for vulnerability organism are weak password, coding, input validation, misconfiguration etc. Attacker tries to discover vulnerability and then exploit it.Vulnerability assessment is a proactive and systematic dodging to discover vulnerability. It is used to discover unknown problems in the system. It is also required by industry standard like DSS PCI from compliance point of view.Vulnerability assessment is achieved using scanners. It is a hybrid solution, which combines automated testing with expert analysis.Figure 1 Vulnerability Assessment ProcessVulnerability assessment is a one step process ( Refer to figure 1). We will learn more details about vulnerability assessment in section 5.4. Penetration TestingA penetration testing evaluates the security of a computer syst em or network by simulating an attack. It is a proactive and systematic approach for security assessment.Figure 1 Penetration Testing ProcessPenetration testing is a two steps process (refer to figure 2). We will learn more details about penetration in next section.5. Comparison5.1 Generic5.2 Resource Requirements5.3 Testing5.4 Results5.5 LimitationsMajor limitations of Vulnerability Assessments are Cannot identify potential entrance money path Provides false positive Requires high technical skills for tester Hybrid solution Cannot exploit flawsMajor limitations of Penetration testing are Identifies potential assenting paths Identifies only those which poses threats May not identify obvious vulnerability Cannot provide information about new vulnerabilities Cannot identify server side vulnerabilities6. ConclusionWith the exclusion of coverage, penetration testing is superior to vulnerability management.Key benefits of penetration testing over vulnerability assessment areTechnical capability required in penetration testing is low compare to vulnerability assessmentCan be used runtimeWith penetration testing we can detect, confirm and exploit vulnerability.With penetration testing can determine the resulting impact on the organisation.For effective security, it is important to understand vulnerability in details.Both are complimentary strategies to each other and proactive. We suggest to use both together.7. REFERENCESVulnerability Assessment and Penetration Testing http//www.veracode.com/ security/vulnerability-assessment-and-penetration-testingJohn Barchie, Triware Net world Systems, Penetration Testing vs. Vulnerability examine http//www.tns.com/PenTestvsVScan.aspPenetration Testing Limits http// www.praetorian.com/blog/penetration-testing-limitsVulnerability psychoanalysis, http//www.pentest-standard.org/index.php/ Vulnerability psychoanalysisOpen Web Application Security Project, https//www.owasp.org/index.php/Category VulnerabilityPenetration Testing http//searchsoftwarequality .techtarget.com/ explanation/penetration-testingVulnerability Assessment and Penetration Testing http//www.aretecon.com/aretesoftwaresAnkita Gupta, Kavita, Kirandeep Kaur Vulnerability Assessment and Penetration Testing, international Journal of Engineering Trends and Technology- Volume4 Issue3- 2013, ISSN 2231-5381 Page 328-330Konstantinos Xynos, Iain Sutherland, Huw Read, Emlyn Everitt and Andrew J.C. Blyth PENETRATION TESTING AND VULNERABILITY ASSESSMENTS A PROFESSIONAL APPROACH, Originally published in the Proceedings of the 1st International Cyber Resilience Conference, Edith Cowan University, Perth Western Australia, 23rd August 2010 available at http//ro.ecu.edu.au/icr/16You Yu, Yuanyuan Yang, Jian Gu, and Liang Shen, Analysis and Suggestions for the Security of Web Applications,, International Conference on Computer Science and Network Technology, 2011, 978-1-4577-1587-7/111, IEEEAndrey Petukhov, Dmitry Kozlov, Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing, https//www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf accessed on 31st January 2015Parvin Ami, Ashikali Hasan Seven Phrase Penetration Testing Model,International Journal of Computer Applications (0975 8887),Volume 59 No.5, December 2012Aileen G. Bacudio, Xiaohong Yuan, Bei-Tseng Bill Chu, Monique Jones,an overview of penetration testing, International Journal of Network Security Its Applications (IJNSA), Vol.3, No.6, November 2011 DOI 10.5121/ijnsa.2011.3602Jignesh Doshi, Bhushan Trivedi, Assessment of SQL Injection Solution Approaches, International Journal of Advanced Research in Computer Science and package Engineering, Volume 4, Issue 10, October 2014 ISSN 2277 128X1