The Difference Between a Vulnerability Assessment and a Penetration Test
What’s the Difference?
The purpose of this post is to explain some differences between a vulnerability assessment and a penetration test so you know what to expect when you purchase either service.
The primary difference between a penetration test and a vulnerability assessment is that a vulnerability assessment is threat-agnostic.
Where a penetration test focuses on emulating specific threat actors and actions in order to seek out the resultant impact and risk, a vulnerability assessment does not.
The goal of a vulnerability assessment is to identify potential vulnerabilities.
The goal of a penetration test is to identifying actual risk.
Below are some characteristics of both a vulnerability assessment and a penetration test. Both types of security testing have their value and purpose.
- focuses on identifying potential vulnerabilities
- Utlizes a “signature database”, much like anti-virus software to identify known vulnerabilities
- identifies High, Moderate, and Low risk vulnerabilities
- depends on the use of a vulnerability scanner(s), such as Nessus, or Burp Suite
- typically focuses on being comprehensive i.e. scanning everything on the network
- can help identify assets connected to the network
- does not usually include vulnerability validation i.e. there will be false positives
- does not require an advanced skill set
- typically does not find “chained” vulnerabilities, where one vulnerability can give access to another
- can be conducted by one person with a scanner in a short period of time
- produces a report with numbers of vulnerabilities
- Is limited in scope – can only determine network vulnerabilities where scanners exist. E.g. network, web application, war dialers
Periodic vulnerability assessments are a very important piece in an effective Information Security program. They identify “low hanging fruit” and when done correctly, make a would-be attacker’s job much more difficult. Most organizations conduct quarterly vulnerability scanning, but the more secure organizations conduct scanning more often than that – many conduct daily or continuous scanning.
- focuses on emulating a real-world attacker and identifying actual risk – not merely just a list of potential vulnerabilities
- identifies unknown vulnerabilities “zero day”
- validates vulnerabilities by exploitation
- can identify additional vulnerabilities not identifiable or accessible by a vulnerability assessment
- gains access to systems/data/application by the exploitation process
- leverages access to spread throughout other systems or applications on the network
- determines the ultimate impact of a vulnerability
- does not rely solely on the use of a vulnerability scanner
- a red team might not use a vulnerability scanner at all
- largely a manual process
- requires an advanced skill set
- is conducted by a team and requires more time
- produces a report with validated vulnerabilities and the actual business or organizational impact of the vulnerabilities
- is not comprehensive in nature
- can be “full scope” in nature. I.e. Can look at all aspects of your Information Security program – network, web app, application, physical, social etc.
Periodic penetration testing assessments are a critical part of an Information Security program and play a crucial role in overall business or organizational risk management. Most organizations conduct annual penetration testing assessments, but the more proactive and secure organizations conduct more frequent testing.
As you can see, a vulnerability assessment is very different from a penetration test. The focus and end result is completely different. Both are an essential part of a solid Information Security program. Conducting quarterly vulnerability scans can help fix the low hanging fruit, while the annual penetration testing can help alleviate the more complex security problems. Together, these two assessments can greatly enhance a company’s security posture, and help prevent an intrusion or other security breach.