difference between vulnerability assessment and penetration testing

What is the difference between vulnerability assessment and penetration testing?


There is often confusion around the role of a vulnerability assessment versus a penetration test. This is compounded by unscrupulous security vendors presenting (and pricing) a vulnerability assessment as a penetration test. Aside from poor ROI, this can give an organisation a false sense of security, when in fact they have only received a basic level service. In the following blog article, we explain the difference, and how regular vulnerability assessments and penetration testing should work together to enhance an organisation’s security posture.

What is a Vulnerability Assessment?

A vulnerability assessment is the process of identifying if an organisation’s systems/applications have potential known security vulnerabilities. It is an automated scan(s) followed by the generation of a report containing a prioritised list of the vulnerabilities found, the severity and generic remediation advice. This is a useful auditing tool for the security team to remediate any errors that could allow a cybercriminal to gain access to the organisation’s systems and sensitive data. The quality of the results is dependent on the quality/recency of the vulnerability scanning software and the ability of the security professional interpreting the results.

How is it different from Penetration Testing?

Penetration testing has much greater potential breadth of scope (e.g. social engineering) and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attack used by cybercriminals, targeting both known and unknown vulnerabilities. Vulnerability assessments are often used to scope a penetration test or as a research tool during the reconnaissance phase of a penetration test. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach until they can provide proof of vulnerability through exploitation and gain access to the secure systems or stored sensitive information that a malicious attack could compromise.

A penetration test report is customised to the organisation and the scope of the engagement and provides the data that is critical to secure an organisation’s systems and stored sensitive information. It supplies the management team with a fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found, in order of severity, with detailed and customised advice to expediate remediation. This then provides the IT security team with the information they require to fast-track remediation work, demonstrates the ROI of existing security tools and facilitates the management team’s confident approval of security expenditure.


A penetration testing report supplies the management team with a fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found.

The Difference Between Vulnerability Assessment and Penetration Testing

The key characteristics of a vulnerability assessment and penetration test are compared in the table below.

Vulnerability Assessment

Penetration Test

Purpose

To scan systems to identify potential ‘known’ vulnerabilities and provide generic remediation advice to improve the security of scanned target(s).

Purpose

To identify and demonstrate proof of exploit and provide customised remediation advice to improve the security of the scoped target(s).

Characteristics

  • Automated process

  • Scanning software scans the entire target(s).

  • Scanning software includes networks, web applications, source code and ASV for PCI DSS

  • Scanning software has signatures to identify unpatched or out-of-date software updates, incomplete deployment of security software, bugs and open ports.

  • Scanning software is limited to identify only vulnerabilities it has signatures for. It cannot find vulnerabilities that are unknown.

  • Results may include false positives and negatives. Results identify potential vulnerabilities.

Characteristics

  • Largely a manual process – using a mix of penetration testing software and custom written exploits

  • The tester may use a vulnerability assessment in the reconnaissance phase of a penetration test and then go on to exploit chosen prioritised vulnerabilities.

  • Demonstrates actual risk by emulating a cybercriminal

  • Types of penetration testing include: networks (external, internal, mobile, wireless), applications (mobile, Web, Web service/API), physical security, social engineering and phishing, secure code reviews and red teaming.

  • Able to exploit known and unknown vulnerabilities

  • Testing is rarely exhaustive – tester focuses attention within the scope of the engagement

Results

An automated report with a prioritised list of the vulnerabilities found, the severity and generic remediation advice.

Results

A hand-written report listing the vulnerabilities and exploits, categorised according to risk level and recommendations for remediation based on key insights into the cyberthreat landscape.

Recommended frequency

Outside of meeting a specific compliance requirement, vulnerability scans should be performed externally to the network and from within at least quarterly, or more frequently for organisations with a high-risk profile.

Recommended frequency

Outside of meeting a specific compliance requirement, penetration tests should be performed at least annually, or more frequently for organisations with a high-risk profile.

 

Together, vulnerability assessments and penetration testing enhance an organisation’s security posture. Both are essential components for achieving a strong cybersecurity and information security program – and a requirement for achieving and maintaining compliance.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.