Penetration Testing vs. Vulnerability Scanning

Besides cost, there are many differences between penetration testing and vulnerability scanning or assessments.  Based on NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, penetration testing is

“Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.”

This means that an engineer or tester is interacting and trying to exploit vulnerabilities discovered on the target systems or web application.  It is very much human driven, and the idea is that the engineer or tester will be acting like a “hacker.”  NIST calls this Active Security Testing.
 
NIST 800-115 also states that Passive Security Testing is ” Security testing that does not involve any direct interaction with the targets.”  This represents vulnerability scans.  
 
An engineer or tester might plug certain information into the software, but the rest of the engagement is the software scanning in-scope devices or applications for known vulnerabilities.  This is very automated.  Some software also has a little check box that will allow for some vulnerabilities to be exploited, but it isn’t always accurate and it is very limited.
 
Software just doesn’t have the human wisdom that experienced testers or engineers have.  They are looking for multiple vulnerabilities that could create a significant hole in your network.  They are looking at things that aren’t based on business logic, such as default credentials.
 
What about vulnerability assessments?
Vulnerability assessments are also mostly automated.  The human element is utilized here to verify the vulnerabilities actually exist.  Sometimes the scanning software produces a false positive.  A tester or engineer will verify each finding to ensure you have a list of vulnerabilities based on current knowledge.
 
Each has it’s place, however we feel that it should be clear what is being purchased.  If you would like to learn more about these services, contact us today.

Leave a comment