Athena Dynamics Young Writers Series: Vulnerability Assessment & Penetration Testing – Which is best for me?
Author: Bryan Lim, Business Development Intern, Athena Dynamics
Copyright © May 2021 All Rights Reserved Athena Dynamics Pte Ltd
Advisory Editor: Nyan Tun Zaw, VP of Business Development, Athena Dynamics
Why has this blogpost been written?
With the demand for VAPT services increasing due to the added need for securing one’s services, we have naturally also received an uptick in inquiries when handing requests from customers regarding VAPT services (Vulnerability Assessment & Penetration Testing), we occasionally come across uncertainty or confusion regarding this term.
What is Vulnerability Assessment? (VA)
Firstly, let us take a look at what Vulnerability assessment (VA) entails. According to the CSA (Cyber Security Agency), a Singapore governmental Agency, vulnerability assessment is a minimally intrusive method which aims to provide a prioritized list of security vulnerabilities. To explain in greater detail, a vulnerability assessment identifies vulnerabilities present in a system, determines the severity of them and ranks them, usually in the form of a report. This allows organizations and companies to suitably delegate their resources to address critical vulnerabilities in the infrastructure or application. Vulnerability assessment is a very important service in the arsenal of cybersecurity initiatives which companies can use to safeguard their systems. It is recommended to be conducted regularly as new vulnerabilities may be introduced with every new update or patch, and such vulnerabilities need to be identified and addressed.
What is Penetration Testing? (PT)
This brings me on to my next point on Penetration Testing (PT). Unlike vulnerability assessment, a Pen-Test (Short for Penetration Test) takes a significantly more intrusive approach as it is a simulated cyberattack. Typically, Pen-tests are manually conducted, with a Pen-tester (an ethical hacker) exploiting vulnerabilities in the system to gain access to it, and at the same time evaluating the extent of exploitability of the vulnerabilities. These tests are emulated as realistically as possible to actual cyberattacks, allowing organizations and companies to understand what would likely happen in the event of an actual cyberattack. Once the level of exploitability of each vulnerability is determined, the organization can then evaluate their options and patch the most critical ones first, followed by patching the rest of the findings. Additionally, penetration tests evaluate the robustness of the IT system being tested in withstanding a cyberattack.
Differences between Vulnerability Assessment and Penetration Testing
As seen in the explanations above, Vulnerability Testing and Penetration Testing have differing purposes and operate in different manners. Vulnerability Assessment and Penetration Testing are often used in tandem to provide a comprehensive overview of any potential security lapses in the IT System being tested. For example, Vulnerability Assessment is often done before Penetration Testing, where it is used to probe for vulnerabilities, helping the pen-tester to gain a foothold in system when he or she is conducting the Manual Penetration Test. A Vulnerability Assessment merely uncovers security vulnerabilities but does not exploit these vulnerabilities. On the other hand, Penetration Testing would attempt to exploit the vulnerabilities discovered. Both Vulnerability Assessment and Penetration Testing will generate a detailed report of vulnerabilities, also providing suggestions on how these flaws can be patched and addressed. However, Vulnerability Assessment reports will not cover exploitation information, as such information can only be gleamed from a Penetration Test. As stated earlier, both are often conducted together, despite having distinct differences, and therefore they are commonly referred to as VAPT Testing, with this term potentially causing some confusion as others may use VA and PT interchangeably thinking they are similar.
When should only Vulnerability Assessment/ Penetration Testing or both be conducted?
After looking at the differences between Vulnerability Assessment and Penetration Testing, the next question we commonly receive is: How do I know which option is the best for my Company or Organization? Our answer is that it depends. Determining which option to be used is based on how valuable the resource or asset being tested is. Typically, if it is a lower value system, Vulnerability Assessment alone should suffice. This is assuming such lower value systems, in the event of it being compromised, will not have a significant impact on the company (in terms of being able to conduct daily operations or reputation being adversely affected). Contrary to lower value systems, there may be devastating consequences for the company in the event of a cyberattack or breach of Higher value systems. Such attacks on the critical infrastructure of the company may cripple daily operations, causing the operations of the company to grind to a halt or even user data to be compromised and leaked, resulting in a nosedive of the company’s reputation. Furthermore, such high value systems are tempting targets to malicious actors and hackers who may attempt to hold them or the data inside hostage as a form of cyber ransom attack. As such, they would likely spend more time and effort coming up with innovative ways to compromise the system. Therefore, High Value systems ought to undergo both Vulnerability assessment and Penetration testing to discover potential vulnerabilities and minimize the risk of them being compromised. Understanding which options to choose to address the specific needs also allows an organization/ company to delegate their resources efficiently, and not spend on services which may not be needed. One example would be not doing a Penetration Test on a lower value system but only a Vulnerability assessment thus saving cost as Penetration Tests are significantly more expensive and time-consuming compared to a Vulnerability Assessment scan.
How we can assist with your VAPT needs
To emphasize, VAPT is essential in ensuring the security of one’s IT systems and should be conducted on a regular basis to uncover new exploits and should not be a service which is skimped on. Whether it is Vulnerability Assessment or Penetration testing which your organization need, we at Athena Dynamics have you covered. Through our gha (good hackers alliance) initiative, we offer comprehensive VAPT services for your cybersecurity needs. Our experienced group of penetration testers are handpicked and are themselves security professionals with world class track records, having been the consecutive winners of several hacking competitions such as the DefCon CTF. Additionally, we are seeing an upcoming trend in the form of Automated VAPT tools, a revolutionary development in the security testing industry, which would allow scaling up operations easily, drastically reduce the cost and increasing the frequency of testing.
This will be further covered in a subsequent article under the Young Writer’s Series in our blog.
You can contact us regarding your VAPT needs or find more information by emailing us at: [email protected]
More information on good hackers alliance can also be found here.
Bryan Lim is an Associate (Intern) in the business development team in Athena Dynamics Pte Ltd, a subsidiary of BH Global Corporation Ltd, a company listed on the Singapore Stock Exchange (SGX).
Contact: [email protected]
Nyan Tun Zaw is the VP of Business Development at Athena Dynamics Pte Ltd, which is a subsidiary of BH Global Corporation Ltd, an SGX mainboard listed company.
With a wide range of background in cybersecurity, software development, web development as well as networking, Zaw has in-depth experiences in deploying security solutions for several highly confidential government and critical infrastructure projects, particularly in the CDR/CDNR field as a technical lead. His interest mainly lies in Cybersecurity and AIML.
Zaw holds a Bachelor of Business Management, with double majors in Finance and Information Systems, from Singapore Management University as well as Master of Business Administration (MBA) from Quantic School of Business and Technology. He is also a holder of the Certified Ethical Hacker (CEH) and EC-council Certified Security Analyst (ECSA) certificates.
Being a technical person who also likes sharing his experiences and knowledge, Zaw has also been part of a speaking panels with global C-level executives at various events and conferences in the region.
Contact: [email protected]
Disclaimer: Neither BH Global, Athena Dynamics nor the writer guarantees full and timely accuracy of the write-up. Readers shall read with their own discretion, judgement and research if in doubt. If you wish to contribute further writings, please feel free to contact us.
Not for General Distribution. Copyright © 2021 All Rights Reserved. No part of this presentation materials may be distributed/reproduced without the writers’ expressed consent.
Proection Group International Ltd, 2019, “What’s the difference between a Vulnerability Assessment and a Penetration Test?” Retrieved 4 May 2021
Sayamini Sreedharan & Gruru99, “What is Vulnerability Assessment? Testing Process, VAPT Scan Tool” Retrieved 4 May 2021
US Department of the Interior, Office of Chief Information Officer, “Penetration Testing” Retrieved 5 May 2021
GOsafeonline For Cyber Security Awareness Alliance, 2014, “Vulnerability Assessment and Penetration Testing” Retrieved 5 May 2021
SecureOPS, 2019, “The Difference between a Penetration Test and a Vulnerability Assessment” Retrieved 6 May 2021