VAPT: What, Why and How?
What?
Stands for Vulnerability Assessment and Penetration Testing, this means there are two activities.
First, VA is usually an automated security scan on the scope (this can be network, website, etc) and the results are manually validated to check for false positives.
Second, PT is a step further than VA where exploitation attempts are made and a lot more manual testing is involved that tries to mimic a real threat actor (cyber criminal).
In simpler terms, it’s essentially to check if your web/network/asset has any vulnerability or ‘holes’ that can be exploited and could impact the your organization’s business!
Why?
In the context of Brunei, it’s usually done because of these:
- Regulatory Compliance. Example Tech Risk Management Guideline (BDCB) is a guideline for financial institutions and it states that you need to have a VAPT before deploying your digital products. The Cyber Security Order (Cyber Security Brunei) also says the same thing. The Protection Obligation in Personal Data Protection Order (AITI) states something similar too. Lastly there are international standards and compliance that lists VAPT as a requirement, e.g. ISO27001, PCI-DSS, and more.
- Business Driven. This just means your business requires you to do a VAPT for reasons like a recent digital transformation (new mobile app), cloud migration, etc.
- Risk Management. This actually sort of covers the both above, basically, you’re doing a VAPT to manage your risks of breaches and compliance issues. This helps in creating a more proactive approach to your security too.
How?
The how is simpler, approach a company that provides VAPT services. However if it’s just VA, you technically can DIY it if you have the internal resources that can handle it!
Else, you can always let me know and I’ll hook you up with Swarmnetics’ VAPT services (full-disclosure: I work for Swarmnetics).
In addition to the above, I also did a career talk for GDG Career 2024 titled “Getting into Pentesting”, you can find the points mentioned here in the slide deck here.