VAPT Session Summary

Jul 1, 2024

VAPT Session Overview

Introduction

  • Hosts: Sam, Abhilash
  • Platform: LinkedIn and YouTube (first time live on both)
  • Recording: Available via shared Google form
  • Giveaway: VAPT learning mind map or step-by-step guide

Discussion Points

Awareness of VAPT

  • Past: Only well-established companies, financial institutions, and those mandated by security standards
  • Present: Increasing awareness among startups and smaller companies due to the rise of bug bounty hunters and digital security
  • Trend: Significant shift post-COVID with government support for digitization and security

VAPT Acceptance

  • Past: Needed to explain importance to clients
  • Present: Higher acceptance; clients understand the need for VAPT
  • Benefits: Enhances brand value, critical for internet presence

Abhilash's Journey

  • Experience: 7 years in VAPT and application security
  • Skills: Web, mobile, API, thick clients, Kubernetes, Docker, source code reviews, spear phishing, email security, endpoint security
  • Certifications: CEH, CKA, CSSLP, CCSK, CCNA
  • Past Companies: Mindtree, eScan, Emudhra, etc.

VAPT Fundamentals

Vulnerability Assessment (VA)

  • Objective: Identify known vulnerabilities
  • Scope: Broad; across entire network or applications
  • Outcome: List of known vulnerabilities

Penetration Testing (PT)

  • Objective: Exploit vulnerabilities to show their impact
  • Scope: Focused and deep
  • Outcome: Prioritized vulnerabilities, exploitation steps, and remediation

Day-to-Day Tasks of a Security Engineer

  • Asset Discovery: Using tools like nmap, a mass
  • Vulnerability Scanning: Tools like tenable Nessus, Qualys
  • Vulnerability Identification: Manual or tool-based
  • Vulnerability Confirmation: Using multiple tools/scripts
  • Vulnerability Prioritization: Based on severity, exploitability, asset category, and data classification
  • Vulnerability Exploitation: Manual steps to exploit and confirm vulnerabilities
  • Vulnerability Reporting: Creating detailed reports with remediation tips

Difference Between VA and PT

  • VA: Identifying vulnerabilities
  • PT: Exploiting and prioritizing vulnerabilities

Types of VAPT

Infrastructure VAPT

  1. **Cloud Infrastructure VAPT: ** Testing vulnerabilities in a cloud environment
  2. Wireless VAPT: Involves breaking into wireless networks

Application VAPT

  1. Web Application PT
  2. Mobile Application PT
  3. API Security Testing
  4. **Thick Client PT: ** Testing desktop-based applications

How to Start with VAPT

Basic Knowledge

  1. Networking: Learn about OSI, TCP/IP models, common ports, and protocols
  2. Cryptography: Basics of symmetric and asymmetric cryptography, encryption methods
  3. Malware Types: Understanding viruses, trojans, rootkits

Key Resources

  1. Web Application PT: Portswigger Academy and TryHackMe.com
  2. Mobile Application PT: Pen Tester Academy (Android & iOS specifics)
  3. API Security Testing: APIsec University, APICybersecurity University
  4. Infrastructure PT: TryHackMe, Hack the Box, OSCP, PNPT certifications

Tools and Practices

  1. Practice: Hack the Box, TryHackMe
  2. Reports: Learn to write detailed and well-articulated vulnerability reports
  3. Guided Training: Invest in structured courses if self-learning is challenging

Conclusion

  • Interaction: Q&A session covering certifications, tools, career tips, and practical examples.
  • Next Steps: Fill out the Google form for session recordings and additional resources.
  • Thank You: Appreciation from hosts and participants.