It amazes me how many people confuse the importance of vulnerability scanning with penetration testing. Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing on its own cannot secure the entire network.
Penetration testing exploits vulnerabilities in your system architecture, while vulnerability scanning (or assessment) checks for known vulnerabilities and generates a report on risk exposure. Both penetration testing and vulnerability scanning depend mostly on three factors:
- Risk and criticality of assets
- Cost and time
What is Penetration Testing?
Penetration testing scope is targeted, and there is always a human factor involved. There is no such thing as automated penetration testing. It requires the use of tools, sometimes a lot, but it also requires an extremely experienced person to conduct the testing.
A good penetration tester always—at some point—crafts a script, changes the parameters of an attack and/or tweaks the settings of the tools (s)he is using during a test.
Penetration testing can operate at the application- or network-level or be specific to a function, department or a number of assets. Alternatively, one can include the whole infrastructure and all applications. But that is impractical in a real-world scenario because of cost and time.
You define your scope on a number of factors, which are mainly based on risk and the importance of an asset. Spending a lot of money on low-risk assets that may take several days to exploit is not practical. After all, testing requires high-skilled knowledge, and that’s why it is costly.
Additionally, testers often exploit a new vulnerability or discover security flaws that are not known to normal business processes, something which can take from days to (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Babar Mahmood. Read the original post at: https://www.tripwire.com/state-of-security/vulnerability-management/difference-vulnerability-scanning-penetration-testing/