What is Penetration Testing (VAPT)?
Vulnerability Assessment and Penetration Testing (VAPT) simulates the tools and techniques of an attacker to detect and exploit vulnerabilities in your networks and applications to attempt to gain access, obtain sensitive personal data or conduct fraudulent transactions. Penetration testing services provides one of the most effective way to assess your data security and overall security posture against cyber attacks.
Penetration testing services conducted by skilled pen testers helps you identify possible cyber attack routes and identify vulnerabilities that may not be found from vulnerability assessments. All our penetration testing services include a vulnerability assessment as part of the service.
Pen testing can be conducted from within your network to simulate insider threat or from the public internet to simulate an external hacker. And depending on the objectives of the security assessment and your cyber security program, the assessment can be performed as an unauthenticated user (no login access) or with test user accounts.
To detect vulnerabilities in the operating system and commonly used software in servers and network devices.
To detect vulnerabilities at the application layer, usually for custom-developed web and mobile applications.
To detect vulnerabilities in the wireless network implementation within your organization’s premises.
Penetration Testing (VAPT) Process
Run vulnerability scanning tools to analyze target for potential vulnerabilities.
Perform manual testing, verify vulnerabilities and attempt to exploit the target.
Analyze impact and severity of issues, and recommend corrective action.
Verify if previously identified weaknesses have been fixed adequately.
Frequently Asked Questions
What are the different types of penetration tests?
The type of pen test depends on the objective you are trying to achieve. Test scenarios may include testing for unauthorized attackers gaining access and maintaining access to your network, or malicious insiders stealing information they should not have access to.
- Black-box testing simulates an unauthorized attacker with no user credentials i.e. testing without logging into the system. With this approach, system functions requiring authenticated access will not be tested.
- Grey-box testing simulates an authorized but malicious attacker with user credentials i.e. testing by logging into the system. With this approach, system functions requiring authenticated access will be tested.
- White-box testing simulates a malicious attacker with access to the application’s source code. The approach will be a combination of VAPT and secure code review methodologies.
It is important to use the appropriate approach based on the risks identified by your security team and risk management framework.
What is the difference between internal and external testing?
Also known as ethical hacking, VAPT can be conducted on your internet-facing assets or your internal network. Depending on network accessibility, ethical hackers may need to be deployed onsite during the testing.
Internal testing simulates a malicious insider attack and is conducted from within the customer internal network and from a segment where the targets are accessible.
External testing simulates a malicious outsider attack and is conducted from the public internet without modification of customer’s perimeter defence.
What is included in network penetration testing?
Network penetration testing helps customers identify vulnerable services running on your network infrastructure and is primarily concerned with vulnerabilities at the operating system layer and common software (e.g. NIST CPE) of the target hosts and devices. Regular network penetration testing helps identify security weaknesses that can be exploited in a real world attack.
To be clear, test is focused on detecting security vulnerabilities and is not a Red Team assessment on the organization’s real-time readiness against cyber attacks. and excludes social engineering tests on your employees.
What is included in application penetration testing?
Application testing is focused on mobile and web application security and functionalities of the application (including web API servers for mobile apps) and is primarily concerned with application layer vulnerabilities, especially the OWASP Top Ten Web Application Security Risks and OWASP Mobile Top 10, including cross-site scripting, SQL injection and other security issues. Our team of security experts will also find flaws in the business logic and look for ways to bypass authorization controls in the mobile and web app.
Besides identifying exploitable vulnerabilities, the team assesses the mobile and web applications and evaluates the information security controls implemented for protecting data and securing transactions.
What assessment methodology do you use?
We adopt the following guidelines for our penetration testing methodology:
- Penetration Testing Execution Standard
- OWASP Web Security Testing Guide
- OWASP Mobile Security Testing Guide
Specific automated tools and manual network and application security testing procedures are executed based on the nature of the testing and environment.
What is included in the report?
We provide a comprehensive and high quality report without false positives. You can expect our VAPT reports to include detailed vulnerability analysis and actionable remediation recommendations.
- Executive summary: Overview of the engagement
- Engagement scope: Scope of work defined for the engagement
- Summary list of findings: List of observations rated by priority
- Significant risk areas (if any): Other significant or systemic risk as a result of a combination of issues identified
- Conclusion: Final observation
- Detailed findings: Provide issue description, risk impact, priority rating, technical reference and recommended security measures.
During the penetration test, we will also highlight any critical vulnerabilities to the customer so that they can take immediate actions to fix the detected issue.
What VAPT tools do you use?
Our security professionals use both commercial and open source vulnerability assessment tools including Tenable Nessus Pro, Burp Suite Pro, Kali Linux, Metasploit, etc.
Do note that while the use of pen testing tools is an important part of the approach, our security consultants will perform manual testing techniques when providing our VAPT services. Security tools support the work of the testing team but does not replace the process.
Yes, we are CREST accredited
Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.
Licensed by Singapore’s Cyber Security Agency (CSA)
Cyber Security Agency of Singapore (CSA) has launched its licensing framework for cybersecurity service providers under Singapore’s Cybersecurity Act, effective 11 April 2022. As of now, penetration testing and managed security operations centre monitoring services will require licenses due to the significant access service providers have into their clients’ computer systems and sensitive information.
Companies providing licensable cybersecurity services in Singapore have until 11 October 2022 to apply for a licence, but may continue to provide services until a decision is made on their licence application. Cybersecurity service providers who do not apply for a licence in time will have to cease the provision of their service until a licence is obtained.
Swarmnetics is licensed by the Cybersecurity Services Regulation Office (CSRO) since 31 May 2022 (Licence No. CS/PTS/C-2022-0090).