What is the difference between vulnerability assessments and penetration tests?
In the IT industry, a number of people have the same common misconception: penetration tests and vulnerability assessments are the same thing. There are differences that I don’t think enough people are aware of. I would like to clear up any sort of confusion. First, let’s take a look at what each of these assessments are, and why you would want or need these assessments.
A Penetration Test is an assessment that exploits known and unknown vulnerabilities on a web application, operating system, web server, and network. Once a vulnerability has been exploited, a Penetration Test can then show what data can be accessed. For example, if there is a missing patch on a system, and exploiting this missing patch gives you access to a system with credit card data, the Penetration Test frames the criticality of the missing patch. A Vulnerability Assessment cannot do that.
A Vulnerability Assessment is a scan that will identify known network, operating system, web application, and web server vulnerabilities with the use of automated tools such as Nessus, WebInspect, Netsparker, and Qualys, just to name a few. Using an automated tool can give you an overall picture of the technical risk of a company’s network. A vulnerability scan is a good way to identify vulnerabilities on a large number of systems, in a shorter period of time. The Vulnerability Assessment will only recognize a “signature” of a weakness, and give it a technical risk rating. Most vulnerability scanners do not do a good job of finding the same vulnerabilities that come up in a Penetration Test.
The Payment Card Industry Data Security Standard (PCI DSS) is one reason why a company would need to have a Vulnerability Assessment or Penetration Test performed, and it identifies the difference between the two. PCI DSS Requirement 11.2 mentions that a Vulnerability Assessment is an automated tool that is run against external and internal network devices. PCI DSS Requirement 11.3 says that network and application Penetration Tests are different from vulnerability scans in that Penetration Tests are a lot more manual, and can attempt to exploit vulnerabilities that are found in a Vulnerability Assessment. Simply put, a Vulnerability Assessment is a piece of code that will identify and report on known vulnerabilities. Because of the way vulnerability scanners identify vulnerabilities, a scanner will more likely run into false positives. A Penetration Test goes a step further in that a human exploits vulnerabilities that are found. And because there is a human exploiting vulnerabilities, false positives do not exist.
In my opinion, it is impossible to say that a Vulnerability Assessment is better than a Penetration Test, or vice versa. Both Vulnerability Assessments and Penetration Tests are very valuable to an organization’s network security. So depending on what steps you want to take to securing your network, you can have one or the other, or even both, performed. When you are looking to have these two assessments performed, keep in mind that you will get two different outcomes.