2. VAPT Approach
Step 1
• Plan & Initiate
Step 2
• Analyze & Test
Step 3
• Infrastructure Vulnerability Assessment
Step 4
• Application Security Assessment
Step 5
• Reporting and Knowledge Transfer
3. Plan & Initiate
• Share assessment methodology document to the Client
• Ask client for the Scope
• Ask client to give Us brief understanding of the Application
• Share the Public IP address of NII from which Testing will be
carried out
• Share the Contact details of stake holder that need to keep
posted of scanning activities and status of the project
4. Analyze & Test
• After understating of the client requirement and Application
• Define the Type of Testing NII will carried out
• Black Box Testing
• Gray Box Testing
• Black Box Testing
• Based on testing standard such as OWASP OSSTMM the black box
testing is essentially done to determine security vulnerabilities that
could be discovered and exploited by someone with no internal or
privileged access to the system.
• Gray Box Testing
• At this stage the client is expected to provide a login ID & Password
using which the consultant will carry out the penetration testing
which walks through a series of task cultivated specially for
identification and simulated exploitation of Vulnerabilities.
5. Infrastructure Vulnerability
Assessment
• Reconnaissance (Only Blackbox)
• Determine all the IP Address assigned to the client to enable us to
freeze the scope of the engagement
• Discovery (Only Blackbox)
• Second phase of Testing involves identifying the Live Hosts
• Public Domain Sources (Only Blackbox)
• Looking for the Public domain and Sensitive information available on
public domain
• Port Scanning
• Identifying open port
• Identification of Service
• Identification of service or Information gathering of service
• Identification of Operating system
• Identification of Vulnerabilities
• Exploitation of Vulnerabilities
6. Application Security
Assessment
• Testing of OWASP
• Performing Open Source Security Testing Methodology for
Application Security
• Identification of Remote exploit vulnerability
• Identification of Vulnerabilities
• Manual Analysis
• Automated Analysis (Proprietary Tool Insight , Netsparker
Commercial Tool, Nessus Professional Edition, Burp Suite
Professionals etc.)
• Exploiting the vulnerabilities
• Taking a proper evidence of confirmation of vulnerabilities
7. Wireless Security assessment
• Wireless WAR Drive/Walking
• Identify interfering APs
• Identify rogue APs
• Checking strength of Wireless (Penetration Test)
• Checking Encryption Mechanism
• Breaking password of wireless devices
• Configuration review of Wireless devices
8. PCI DSS Requirements
• Section 6.6
• Activity: Web Application Assessment
• Scope: Public-facing application
• Methodology: Graybox
• Frequency: Annually or after any changes
• Section 11.1
• Activity: Wireless Network Scanning
• Scope: CDE Environment
• Methodology: Blackbox
• Frequency: Quarterly
• Section 11.2.1
• Activity: Network Vulnerability Scanning
• Scope: Internal Network
• Methodology: Blackbox and/or Graybox
• Frequency: Quarterly or after any changes
9. PCI DSS Requirements…
• Section 11.2.2
• Activity: Network Vulnerability Scanning
• Scope: External Network Vulnerability Scanning
• Methodology: Blackbox
• Frequency: Quarterly or after any changes
• Section 11.3.1
• Activity: Penetration Testing
• Scope: Internal network devices and web applications in scope
• Methodology: Graybox
• Frequency: Annually or after changes
• Section 11.3.2
• Activity: Penetration Testing
• Scope: External Network devices and web applications in scope
• Methodology: Graybox
• Frequency: Annually or after changes
10. PCI DSS Requirements…
• Section 11.3.3
• Activity: Re-validation Assessment
• Scope: Internal and External vulnerabilities identified
• Methodology: Blackbox and/or Graybox
• Frequency: As per primary testing cycles
• Section 11.3.4
• Activity: Network Segmentation Test
• Scope: Non-CDE networks and Perimeter networks
• Methodology: Graybox
• Frequency: Annually or after changes
11. Reporting and Knowledge
Transfer
• Submit the final and detailed set of report with in depth
information to fix the vulnerabilities.
• Conduct a knowledge transfer exercise to the technical team
• Present the finding to the technical and management teams
• Hand over final set of deliverable to the client
12. Report Format
• Executive Summary
• Summary of the engagement
• objective of the engagement
• Duration of the assessment
• Approach for the assessment
• Scope of work
• Type of penetration testing selected by the client
• Detail on standard and frameworks followed
• Summary of finding
• Tabular Summary
• Graphical Summary
13. Cont..
• Technical report
• Vulnerability Name
• Severity
• Ease of Exploitation
• Affected IP Address or URL
• Vulnerability Classification
• Description of Vulnerability
• Analysis
• Impact
• Recommendation
• Reference URL
• Conclusion