Vulnerability Assessment & Penetration Testing
Arete’s Vulnerability Detection and Penetration Testing is the most comprehensive service for auditing, pen testing, reporting and patching for your company’s web based applications. With Port 80 always open for web Access there is always a possibility that a Hacker can beat your Security systems and have an unauthorized access to your web Applications.
Vulnerability assessment and Penetration testing are two different and complimentary pro-active approaches to assess the security posture of the information systems network.
The Vulnerability Assessment is done to test the security posture of the Information System as an internal attacker also referred to as ethical hacker. The primary purpose of the Vulnerability assessment testing is to imitate an internal attack as a user with network access and attempt to gain unauthorized information and enumerate any vulnerability that may exist.
A penetration test offers an invaluable and compelling way to establish a baseline assessment of security as seen from outside the boundaries of the organization’s network. Properly executed penetration tests provide evidence that vulnerabilities do exist and that network penetrations are possible. More importantly, they provide a blueprint for remediation in order to start or enhance a comprehensive information protection strategy.
Identify any potential security vulnerabilities in an organization’s current infrastructure and develop plans to mitigate these weaknesses.
- Determine the degree of exposure to external and internal attacks.
- Provide evidence that verifies the possibility of exploiting the vulnerabilities found.
- Determine the probability that an attacker could compromise the system with access to computers connected to your company's network.
- Assess the defense systems such as Intrusion Detection System (IDS), firewall etc and check if they are working properly.
- Third-party audits meet government and industry compliance standards.
- Accurate and up-to-date vulnerability knowledge base.
- Comprehensive and easy to user report for management as well as technical team.
- Closing all windows of opportunity for intruders.
Arete’s penetration test methodology includes three types of approaches for penetration testing:
- A Zero knowledge Test
- A Full Knowledge Test
- A Partial Knowledge Test
With our zero-Knowledge attack, the Penetration Test Team has no real information about the target environment. This type of test is obviously designed to provide the most realistic penetration test possible.
In our Partial Knowledge Test, the client organization provides the test team with the type of information a motivated attacker is likely to find, and hence, saves time and expense.
Our partial knowledge test approach is used if there is a specific kind of attack or specific targeted host that the client organization wants to have the penetration test team focus on. To conduct a partial knowledge test, the test team is provided with such documents as policy and network topology documents, asset inventory, and other valuable information.
Our last type of approach for penetration testing is a Full Knowledge attack, whereby the penetration test team has as much information about the client environment as possible. This approach is designed to simulate an attacker who has intimate knowledge of the target organization’s systems, such as an actual employee. The above strategies are conducted both on the Application as well as the Network.
The steps involved in Application and Network VAPT are as follows:
1. Application Penetration Test Methodology
- Information Gathering
- Configuration Testing
- Business Logic Testing
- Authentication Testing
- Authorization Testing
- Client-side Attacks
- Data Validation Testing
- Session Management Testing
- Denial of Service Testing
- Web Services Testing
- AJAX Testing
2. Network Penetration Testing Methodology
- Vulnerability Assessment
- Network Links and Protocol Vulnerability Testing
- Multiple Attack Vector Analysis
- Scenario Modeling Analysis
- Root Cause Analysis
- Risk Calculation