AVDS: Alternative to Pen Testing
Pen testing (penetration testing) is the discovery of vulnerable network equipment or applications by evaluating their response (behavior) to specially designed requests. In some cases a payload (message, marker or flag) is delivered to prove beyond a doubt that the vulnerability can be exploited. Pen testing is usually a manual and expensive undertaking that is done infrequently and on selected, high value or highly exposed portions of a network.
Pen testing's value is that by delivering a payload there is no arguing that the vulnerability exists and that it is serious enough to allow unauthorized access. Pen testing weaknesses are: variable results due to skill of the technician, infrequency, high expense and limited scope of testing.
Pen testing and Vulnerability Assessment and Management (VAM) have not crossed paths until recently because in all cases but one, commercial VAM solutions primarily check the 'banner' to collect the software version number. This is sometimes called inference-based scanning. Typical VAM vulnerability tests assume that if an old version is discovered, then certain vulnerabilities can be assumed or that if a current version number is reported, then there are no vulnerabilities. There are many reasons that version does not equal vulnerability, thus the low reputation for VAM report accuracy. Only one VAM solution tests behavior and can prove the existence of vulnerabilities, like pen testing.
AVDS is unique in the VAM field. It was designed from scratch to test the behavior of network equipment and applications rather than just look at a banner and assume on face value that vulnerabilities may exist. AVDS sends specially designed requests to each host to determine, by response and positive ID that vulnerabilities exist. Behavior-based testing aligns AVDS with pen testing and produces four important benefits; high accuracy, frequency of testing and currency of results, low cost and complete coverage of everything that 'speaks IP'.
Although manual pen testing can identify how a combination of medium risk vulnerabilities can result in a high risk situation, it has the following issues:
- Frequency: Within days of any pen test, any additions or changes to hosts and the network will create new security situations. Additionally, new vulnerabilities are announced weekly and may exist on the network.
- Accuracy: No two pen test professionals may go about testing the same way, have the same experience or use the same tools. Even if the same pen tester is brought back monthly, new and previously overlooked vulnerabilities may be discovered.
- Cost: Pen testing is expensive. It takes highly skilled professionals many hours to do more than just scratch the surface.
- Scope: Due to the above factors pen testing is usually done on a limited set of targets. Pen testing almost never involves testing every server, firewall, router, workstation, printer, IP phone, wireless access point, etc.
AVDS accomplishes the primary activity of pen testing, the identification of weaknesses in production hosts by testing behavior. It solves the four critical failures of manual pen testing:
- VAM with AVDS can be done monthly, weekly or even daily on frequently changing services like web servers and web applications. New hosts are immediately detected and tested, changes made to hosts that create weaknesses are promptly discovered and newly announced vulnerabilities are added to the test library daily.
- AVDS is designed to be run by any competent network admin. It is highly automated and its ease of use, accuracy of tests and short, to-the-point reports encourage compliance.
- A typical AVDS installation can be purchased outright for the cost of one comprehensive penetration test. In future years, a great savings can be experienced.
- AVDS is designed to scan entire networks quickly and its licensing model encourages broad use.
Behavior-based testing of network hosts (and in particular web applications) is unique to AVDS. It's library of unique and proprietary tests has taken many years to compile and has been honed by constant use on thousands of networks. Accuracy was the goal of this mammoth project and thanks to tens of thousands of hours of development work and then feedback from thousands of customers AVDS delivers the highest level of accuracy available in VAM. The result; most AVDS customers never experience a single reporting error.
Manual pen testing is sometimes required by internal policy or for compliance with some external standards. In these cases, AVDS is the perfect partner. Regular AVDS scanning and the elimination of all medium and high risk vulnerabilities it discovers will dramatically reduce time needed to do manual penetration testing and so reduce its cost.
For additional information on AVDS behavior-based testing see: Vulnerability Assessment Accuracy.