LightPEN: Optimizing the Vulnerability Exposures for Lightweight Penetration Test

Abstract

Penetration Testing (PenTest) is crucial to an organization’s system security. It helps ensure the confidentiality, integrity, and availability of the system and reduces exposures to future risks. Specifically, the PenTest process is usually initiated after the vulnerability assessment (VA) scanning where its results are used to undertake the PenTest. Significantly, PenTest requires expert testers to test each vulnerability found in the VA stage thoroughly. Hence, the process is expert-dependent and time-consuming. To optimize the set of vulnerabilities to be tested in the PenTest process, we introduce the scheme called LightPEN to support the extraction of known vulnerabilities obtained from existing sources such as local code scanning, notice from vendors and developers, and previous VA reports. In addition, our system provides exploitable scripts for the PenTest process. Finally, we conducted the experiment to demonstrate the efficiency of our proposed system.