It amazes me how many people confuse the importance of vulnerability scanning with penetration testing. Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing, on its own, cannot secure the entire network. Both are important at their respective levels, needed in cyber risk analysis, and are required by standards such as PCI, HIPAA, ISO 27001, etc.

Vulnerability Scanning vs. Penetration Testing

Penetration testing exploits a vulnerability in your system architecture while vulnerability scanning (or assessment) checks for known vulnerabilities and generates a report on risk exposure.

Either penetration testing or vulnerability scanning depends mostly on three factors:

  1. Scope
  2. Risk and Criticality of assets
  3. Cost and Time

Penetration Testing

Penetration testing scope is targeted and there is always a human factor involved. There is no automated penetration testing – penetration testing requires the use of tools, sometimes a lot of tools. But it also requires an extremely experienced person to conduct penetration testing. A good penetration tester always at some point during their testing craft a script, change parameters of an attack or tweak settings of the tools he or she may be using.

It could be at application or network level but specific to a function, department or number of assets.  One can include the whole infrastructure and all applications but that is impractical in the real world because of cost and time. You define your scope on a number of factors that are mainly based on risk and how important is an asset.

Spending a lot of money on low-risk assets which may take a number of days to exploit is not practical.   Penetration testing requires high skilled knowledge and that’s why it is costly. Testers often exploit a new vulnerability or discover vulnerabilities that are not known to normal business processes. (Read more...)