Vulnerability Assessment vs. Penetration Testing: Know Who Is Who
Has it ever happened to you to pay for penetration testing services and get a hundred something page “penetration testing” report listing vulnerabilities detected by a vulnerability scanning tool? Well, you’re not alone. The problem is quite common, as many providers offer penetration testing that turns out to be vulnerability assessment. This article will explain the two security services to prepare you for the search of a high-quality penetration testing and vulnerability assessment vendor.
Vulnerability assessment
Vulnerability assessment intends to identify vulnerabilities in a network. The technique is used to estimate how susceptible the network is to different vulnerabilities. Vulnerability assessment involves the use of automated network security scanning tools, whose results are listed in the report. As findings reflected in a vulnerability assessment report are not backed by an attempt to exploit them, some of them may be false positives.
A lifehack for a prospective customer: A solid vulnerability assessment report should contain the title, the description and the severity (high, medium or low) of each vulnerability uncovered. A mash of critical and non-critical security weaknesses would be quite puzzling, as you wouldn’t know which vulnerability to patch first.
Penetration testing
In contrast to vulnerability assessment, penetration testing involves identifying vulnerabilities in a particular network and attempting to exploit them to penetrate into the system.
The purpose of penetration testing is to determine whether a detected vulnerability is genuine. If a pentester manages to exploit a potentially vulnerable spot, he or she considers it genuine and reflects it in the report. The report can also show unexploitable vulnerabilities as theoretical findings. Don’t confuse these theoretical findings with false-positives. Theoretical vulnerabilities threaten the network, but it’s a bad idea to exploit them as this will lead to DoS.
Another lifehack for a prospective customer: At the initial stage, a reputable provider of penetration testing services will use automated tools sparingly. Practice shows that a comprehensive penetration testing should be mostly manual.
During the exploiting stage, a pentester tries to harm the customer’s network (takes down a server or installs malicious software on it, gets unauthorized access to the system). Vulnerability assessment doesn’t include this step.
Vulnerability assessment vs. penetration testing
Difference 1. Breadth vs. depth
The key difference between vulnerability assessment and penetration testing is the vulnerability coverage, namely the breadth and the depth.
Vulnerability assessment focuses on uncovering as many security weaknesses as possible (breadth over depth approach). It should be employed on a regular basis to maintain a network’s secure status, especially when network changes are introduced (e.g., new equipment installed, services added, ports opened). Also, it will suit to organizations which are not security mature and want to know all possible security weaknesses.
Penetration testing, in its turn, is preferable, when the customer asserts that network security defenses are strong, but wants to check if they are hack-proof (depth over breadth approach).
Difference 2. The degree of automation
Another difference, connected to the previous difference is the degree of automation. Vulnerability assessment is usually automated, which allows for a wider vulnerability coverage, and penetration testing is a combination of automated and manual techniques, which helps to dig deeper into the weakness.
Difference 3. The choice of professionals
The third difference lies in the choice of the professionals to perform both security assurance techniques. Automated testing, which is widely used in vulnerability assessment, doesn’t require so much skill, so it can be performed by your security department members. However, the company’s security employees may find some vulnerabilities they can’t patch and not include them in the report. So, a third-party vulnerability assessment vendor might be more informative. Penetration testing in its turn requires a considerably higher level of expertise (as it is manually-intensive) and should always be outsourced to a penetration testing services provider.
Penetration testing vs. vulnerability assessment at a glance
Take a look at a quick questionnaire, which lays bare the differences between the two techniques:
How often to perform the service?
Vulnerability assessment: Once a month. Plus an additional testing after changes in the network.
Penetration testing: Once a year at the least.
What’s in the report?
Vulnerability assessment: A comprehensive list of vulnerabilities, which may include false positives.
Penetration testing: A “call to action” document. It lists the vulnerabilities that were successfully exploited.
Who performs the service?
Vulnerability assessment: In-house security staff or a third-party vendor.
Penetration testing: A provider of penetration testing services.
What’s the value of the service?
Vulnerability assessment: Uncovers a wide range of possible vulnerabilities.
Penetration testing: Shows exploitable vulnerabilities.
The choice of vendor
The differences between vulnerability assessment and penetration testing show that both security testing services are worth to be taken on board to guard network security. Vulnerability assessment is good for security maintenance, while penetration testing discovers real security weaknesses.
It’s possible to take advantage of both services only if you contract a high-quality vendor, who understands and, most importantly, translates to the customer the difference between penetration testing and vulnerability assessment. So, in vulnerability assessment, the vendor uncovers a wide range of possible network vulnerabilities and reports them according to their severity to the customer’s business. At the same time, in penetration testing, a good vendor combines automation with manual work (giving preference to the latter) and doesn’t provide false positives in the report. Though it may raise the cost of penetration testing, it is highly recommendable to engage certified pentesting engineers (e.g., Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP)).