Vulnerability Assessment and Penetration Testing Comparison

photo mind and discernment interrogation simileJignesh C DoshiBhushan TrivediABSTRACT business sector using internet has grown drastically in past decade. Attacks on sack application have change magnitude. weave application certification is a big challenge for any organizations as result of change magnitude attacks. in that location exists contrary approaches to mitigate various auspices risks ar defensive cryptanalysis, curing (Firewall), Monitoring and auditing. This solutions found more towards prevention of attacks or of monitoring types of. photograph legal opinion and brainwave test ar two approaches widely utilise by organizations to pass judgment tissue application security. Both solutions are different and complimentary to each new(prenominal). In this paper comparison of these two approaches are provided. Authors found that penetration scrutiny is better compare to exposure judging as it exploits vulnerability, while vulnerability mind is master in foothold of coverage over penetration exam.General Terms exposure Measurement, Penetration TestingKeywordsAttack, pic, pledge Risk, VAPT,1. INTRODUCTIONWeb application usage has increased as more and more services are available on web. Business using Web applications is also increasing day by day. On other side, web application based attacks have increased. Web application have become main target of attackers. Major conflict of attacks is data loss or financial loss or repute loss.Various types of countermeasures exists to protect system against attacks bid defensive coding, firewall, Intrusion maculation system etc. 15. The solution exists in two categories proactive and reactive. To underwrite web applications, thorough study of vulnerabilities is required. Study will help in taking effective actions. Vulnerability measurement and Penetration exam are widely use approaches by organizations for web application security assessment.In this paper, authors have compared v ulnerability assessment and penetration testing.The rest of the paper is organized as follows. Vulnerability assessment is discussed in section 2, Penetration testing is discussed in Section 3. Section 4 describes comparison between vulnerability assessment and penetration testing. Conclusion is described in section 5.2. incumbent Web Application Security TrendsThe number of internet users and websites are increasing rapidly in recent years 9. Approximately 66% of web applications have problem as per Gartner. According to sophisticated vulnerability assessment tools 60% vulnerabilities can be found in most of web applications 12.Security measures most commonly applied for web application security are firewalls, Intrusion Detection System (IDS), Anti-virus System and defensive coding 1415. This solution either requires developer skills or efforts in common 15. These solutions provide a way to assess system, while organizations need a way to assess security countermeasure assessment . It is also necessary to assess web application sporadically against security risks in order to take effective actions.3. Vulnerability discernmentVulnerability is a weakness or flaw in a system. Reasons for vulnerability existence are weak password, coding, input validation, misconfiguration etc. assaulter tries to discover vulnerability and then exploit it.Vulnerability assessment is a proactive and systematic strategy to discover vulnerability. It is used to discover unexplored problems in the system. It is also required by industry standard like DSS PCI from compliance point of view.Vulnerability assessment is achieved using scanners. It is a loan-blend solution, which combines automated testing with expert analysis.Figure 1 Vulnerability Assessment ProcessVulnerability assessment is a one step bear on ( Refer to figure 1). We will goldbrick more details virtually vulnerability assessment in section 5.4. Penetration TestingA penetration testing evaluates the security of a computer system or network by simulating an attack. It is a proactive and systematic approach for security assessment.Figure 1 Penetration Testing ProcessPenetration testing is a two steps process (refer to figure 2). We will learn more details about penetration in next section.5. Comparison5.1 Generic5.2 Resource Requirements5.3 Testing5.4 Results5.5 LimitationsMajor limitations of Vulnerability Assessments are Cannot light upon potential access path Provides false positive Requires high adept skills for tester Hybrid solution Cannot exploit flawsMajor limitations of Penetration testing are Identifies potential access paths Identifies only those which poses threats May not severalize obvious vulnerability Cannot provide information about new vulnerabilities Cannot signalize server side vulnerabilities6. ConclusionWith the exception of coverage, penetration testing is superior to vulnerability management.Key benefits of penetration testing over vulnerability assessment areTech nical capability required in penetration testing is low compare to vulnerability assessmentCan be used runtimeWith penetration testing we can detect, confirm and exploit vulnerability.With penetration testing can determine the resulting impact on the organisation.For effective security, it is important to guess vulnerability in details.Both are complimentary strategies to each other and proactive. We suggest to use both together.7. REFERENCESVulnerability Assessment and Penetration Testing http//www.veracode.com/ security/vulnerability-assessment-and-penetration-testingJohn Barchie, Triware Net world Systems, Penetration Testing vs. Vulnerability Scanning http//www.tns.com/PenTestvsVScan.aspPenetration Testing Limits http// www.praetorian.com/blog/penetration-testing-limitsVulnerability analysis, http//www.pentest-standard.org/index.php/ Vulnerability AnalysisOpen Web Application Security Project, https//www.owasp.org/index.php/Category VulnerabilityPenetration Testing http//searc hsoftwarequality .techtarget.com/definition/penetration-testingVulnerability Assessment and Penetration Testing http//www.aretecon.com/aretesoftwaresAnkita Gupta, Kavita, Kirandeep Kaur Vulnerability Assessment and Penetration Testing, world(prenominal) journal of Engineering Trends and Technology- Volume4 Issue3- 2013, ISSN 2231-5381 Page 328-330Konstantinos Xynos, Iain Sutherland, Huw Read, Emlyn Everitt and Andrew J.C. Blyth brainwave TESTING AND VULNERABILITY ASSESSMENTS A PROFESSIONAL APPROACH, Originally published in the Proceedings of the 1st worldwide Cyber Resilience Conference, Edith Cowan University, Perth Western Australia, 23rd exalted 2010 available at http//ro.ecu.edu.au/icr/16You Yu, Yuanyuan Yang, Jian Gu, and Liang Shen, Analysis and Suggestions for the Security of Web Applications,, International Conference on Computer Science and Network Technology, 2011, 978-1-4577-1587-7/111, IEEEAndrey Petukhov, Dmitry Kozlov, Detecting Security Vulnerabilities in Web Appl ications Using Dynamic Analysis with Penetration Testing, https//www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf accessed on 31st January 2015Parvin Ami, Ashikali Hasan Seven Phrase Penetration Testing Model,International journal of Computer Applications (0975 8887),Volume 59 No.5, December 2012Aileen G. Bacudio, Xiaohong Yuan, Bei-Tseng Bill Chu, Monique Jones,an overview of penetration testing, International Journal of Network Security Its Applications (IJNSA), Vol.3, No.6, November 2011 DOI 10.5121/ijnsa.2011.3602Jignesh Doshi, Bhushan Trivedi, Assessment of SQL Injection Solution Approaches, International Journal of Advanced Research in Computer Science and software system Engineering, Volume 4, Issue 10, October 2014 ISSN 2277 128X1