AVDS: Alternative to Pen Testing
Pen testing (penetration testing) is the discovery of vulnerable network equipment or applications by evaluating their response (behavior) to specially designed requests. In some cases a payload (message, marker or flag) is delivered to prove beyond a doubt that the vulnerability can be exploited. Pen testing is usually a manual and expensive undertaking that is done infrequently and on selected, high value or highly exposed portions of a network.
Pen testing's value is that by delivering a payload there is no arguing that the vulnerability exists and that it is serious enough to allow unauthorized access. Pen testing weaknesses are: variable results due to skill of the technician, infrequency, high expense and limited scope of testing.
Pen testing and Vulnerability Assessment and Management (VAM) have not crossed paths until recently because in all cases but one, commercial VAM solutions primarily check the 'banner' to collect the software version number. This is sometimes called inference-based scanning. Typical VAM vulnerability tests assume that if an old version is discovered, then certain vulnerabilities can be assumed or that if a current version number is reported, then there are no vulnerabilities. There are many reasons that version does not equal vulnerability, thus the low reputation for VAM report accuracy. Only one VAM solution tests behavior and can prove the existence of vulnerabilities, like pen testing.
AVDS is unique in the VAM field. It was designed from scratch to test the behavior of network equipment and applications rather than just look at a banner and assume on face value that vulnerabilities may exist. AVDS sends specially designed requests to each host to determine, by response and positive ID that vulnerabilities exist. Behavior-based testing aligns AVDS with pen testing and produces four important benefits; high accuracy, frequency of testing and currency of results, low cost and complete coverage of everything that 'speaks IP'.
Although manual pen testing can identify how a combination of medium risk vulnerabilities can result in a high risk situation, it has the following issues:
AVDS accomplishes the primary activity of pen testing, the identification of weaknesses in production hosts by testing behavior. It solves the four critical failures of manual pen testing:
Behavior-based testing of network hosts (and in particular web applications) is unique to AVDS. It's library of unique and proprietary tests has taken many years to compile and has been honed by constant use on thousands of networks. Accuracy was the goal of this mammoth project and thanks to tens of thousands of hours of development work and then feedback from thousands of customers AVDS delivers the highest level of accuracy available in VAM. The result; most AVDS customers never experience a single reporting error.
Manual pen testing is sometimes required by internal policy or for compliance with some external standards. In these cases, AVDS is the perfect partner. Regular AVDS scanning and the elimination of all medium and high risk vulnerabilities it discovers will dramatically reduce time needed to do manual penetration testing and so reduce its cost.
For additional information on AVDS behavior-based testing see:
Vulnerability Assessment Accuracy.