I guess most of us know why a vulnerability assessment and penetration testing needs to be performed for web apps or mobile apps. Lately I had been asked by my fellow Colleague and my Friend to do a Basic Pentest on his Web App to ensure Basic Security and also had a session about the need of Security in Web Apps. I thought I would sum it up and share for benefit of everyone who might be interested.

Here are top 5 reasons to perform VAPT of your web:

1. To Identify Gaps Between Security Tools No alt text provided for this image This may sound like a weird reason but if you perform pentesting using different tools for the same web app, there are higher chances that you would get varied results, sometimes contradicting each other. So if you know the security posture of your web app, you can and you should use it to compare tools. In my experience, keeping tools constant and doubting your own application is not correct. Ideally you should perform manual penetration testing, gather results and then compare tools to see which of those are capable of capturing the same set of results. Remember - there is a great difference between manual and automated penetration testing, my personal choice is manual.

2. To Prioritize Risk
   No alt text provided for this image It is found that usually vulnerabilities are found and collected, but the risk prioritization is not carried out. With all the security risks to contend with these days, it's crucial for IT decision makers to determine how to prioritize risks in order of importance. Usually if risks are not prioritized, I have seen many organizations spend lot of time on trivial problem fixing and tend to delay or ignore or forget fixing the most critical ones.

3. To discover loopholes & Misconfigurations No alt text provided for this image This reason is obvious as it sounds. Web apps, mobile apps and IT networks are prone to human errors and that's exactly what a hacker exploits. Most of the hacking attempts are due to incorrect coding practices and mis-configurations, than the vulnerabilities emerging from the platforms. Ideally letting a third party services firm run a penetration test is the right thing to do, to avoid conflict of interest situations, and get a completely unbiased outcome. This outcome can result into a skill matrix, so that you can deploy right people at the right job. Remember there cannot be any compromise in terms of skill-set when it comes to cyber security.

   1. To Improve Your Product SDLC Process No alt text provided for this image QA teams find functional bugs, while pentesters find security bugs. Periodic penetration testing aligned with SDLC process is an ideal approach to ensure lock-tight security. This way, the product code and changes go through multiple iteration of security checks, thus reducing the vulnerabilities drastically.
   2. To Ensure Best Out Of Your Cyber Security ROI

Organizations tend to invest huge amount of money, but they do not know what is happening with that money. This is especially true for IT product companies who develop a great cloud based software, deploy people, deploy infrastructure, have processes, but simply don't possess a habit of continuous security improvement using VAPT. This eventually results into some type of attack and/or data leakage, and pretty much renders the entire investment useles

"It is better to be agile, on-the-toes and secure than being sorry."

Hence a discipline of performing periodic, well thought vulnerability assessment and penetration testing is imperative to organizations, irrespective of the industry sector, size or revenue. For those who wish to know more on VAPT.