What is Penetration Testing (VAPT)?
Vulnerability Assessment and Penetration Testing (VAPT) simulates the tools and techniques of an attacker to detect and exploit vulnerabilities to gain access to your systems, obtain sensitive personal data or conduct fraudulent transcations. This security testing approach conducted by skilled pen testers helps you identify possible attack routes and vulnerabilities that may not be found from vulnerability assessments. All our penetration testing services include a vulnerability assessment as part of the service.
Pen testing can be conducted from within your network to simulate insider threat or from the public internet to simulate an external hacker. And depending on the objectives of your cyber security program, the assessment can be performed as an unauthenticated user (no login access) or with test user accounts.
To detect vulnerabilities in the operating system and commonly used software in servers and network devices.
To detect vulnerabilities at the application layer, usually for custom-developed web and mobile applications.
To detect vulnerabilities in the wireless network implementation within your organization’s premises.
Penetration Testing (VAPT) Process
Run scanning tools to analyze target and detect potential vulnerabilities.
Perform manual testing, verify vulnerabilities and attempt to exploit the target.
Analyze impact and severity of issues, and recommend corrective action.
Verify if previously detected vulnerabilities have been fixed adequately.
Frequently Asked Questions
What is the difference between black-box and grey-box testing?
Black-box testing simulates an unauthorized attacker with no user credentials i.e. testing without logging into the system. With this approach, system functions requiring authenticated access will not be tested.
Grey-box testing simulates an authorized but malicious attacker with user credentials i.e. testing by logging into the system. With this approach, system functions requiring authenticated access will be tested.
What is the difference between internal and external testing?
Internal testing simulates a malicious insider attack and is conducted from within the customer internal network and from a segment where the targets are accessible.
External testing simulates a malicious outsider attack and is conducted from the public internet without modification of customer’s perimeter defence.
What is included in network penetration testing?
Network penetration testing helps customers identify vulnerable services running on the network and is primarily concerned with vulnerabilities at the operating system layer and common software (e.g. NIST CPE) of the target hosts and devices. Regular network penetration testing helps identify weaknesses that can be exploited in a cyber attack.
What is included in application penetration testing?
Application testing is focused on application securit and the functionalities of the application (including web API servers for mobile apps) and is primarily concerned with application layer vulnerabilities, especially the OWASP Top Ten Web Application Security Risks and OWASP Mobile Top 10. Application testing helps evaluate the information security controls implemented for protecting data and securing transactions.
What methodologies do you use?
We adopt the following guidelines for our penetration testing methodology:
- Penetration Testing Execution Standard
- OWASP Web Security Testing Guide
- OWASP Mobile Security Testing Guide
Specific testing procedures are executed based on the nature of the testing and environment.
What tools do you use?
Our security professionals use both commercial and open source testing tools including Tenable Nessus Pro, Burp Suite Pro, Kali Linux, Metasploit, etc.
Yes, we are CREST accredited
Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.