One Vulnerability Assessment Penetration Testing (VAPT) question asked by Internal Auditors and CISOs

Internal Audit reviewing documents

This article is the first in a series of blog posts for internal auditors and C-suite to understand the types of VAPT (security assessment) testing for web and mobile applications.


This post: One Vulnerability Assessment Penetration Testing question asked by Internal Auditors and CISOs
Second post: Boxes, yet more boxes!
Last post: Where do blackbox and grey box tests play in securing your cyber assets?


“The Board of Directors had requested Internal Audit to look into a new product about to go live. I’ve asked for and received the VAPT (security assessment) report from IT. The report indicated a greybox security assessment with various findings ranked by severity. The report does not indicate or suggest 100% vulnerability identification in the web and mobile applications. What should I do now?”


In a nutshell, 100% vulnerability identification (or completeness testing) can never be asserted in black box and grey box security assessments reports.


Why not?
Why not?

To explain, I will elaborate on the two types of testing methodologies which are used in the software development and testing industry. I will link these two testing methodologies to the four security assessments commonly provided by VAPT security assessment firms.

I will also elaborate on the level of assurance vs man-effort required, putting forth why going with the most commonly requested black box and grey box assessments is not sufficient if 100% vulnerability identification is required.


okay, here we go
okay, here we go!


There are two types of testing namely:

  1. Static application security testing
  2. Dynamic application security testing


Static application security testing (SAST) or static analysis

Orchard Library, Singapore by Chuttersnap
Photo: Orchard Library, Singapore by Chuttersnap

The security assessor has complete view of the web or mobile application from inside out. He/she can examine the software libraries, source code, byte code or configuration rules for signs of security vulnerabilities or misconfiguration.

Static analysis, as its name suggests, is performed without running the application or program. The security assessor will be able to see the specific parameters or inputs that may potentially trigger security vulnerabilities.


Dynamic application security testing (DAST) or dynamic analysis

Colorado Convention Centre, USA by Elizabeth Thomsen
Photo: Colorado Convention Centre, USA by Elizabeth Thomsen

This is the alternative that looks at the web or mobile application from the outside. The security assessor applies educated guesses to determine potential security vulnerabilities as he/she does not have access to the application innards. This is the most common method of testing web or mobile applications currently. These two testing methodology addresses different risks from different perspectives.


From the above two, we can further break down into four subtypes of security assessments and their assurance levels.

Dynamic testing vs Static testing
Dynamic testing vs Static testing


Each security assessment subtype has its advantages and disadvantages, which i will discuss in next week’s post.


Have a Great Week ahead and stay Cyber Strong!

Say Hong TAN

CISA, CRT, CA (Singapore)
Founder and Director
Dynafense Cybersecurity

Leave a Reply

Your email address will not be published. Required fields are marked *