Penetration Testing and Vulnerability Scanning are often confused as the same service. The problem is, they have their differences and are not the same. Let me explain how they differ:

Vulnerability Assessment

Vulnerability Assessment is an inspection of the potential points of exploit on a computer or network to identify security holes.

A vulnerability scan detects and classifies system weaknesses in computers, networks, communications equipment and predicts the effectiveness of countermeasures. A scan may be performed by an organization’s IT department or a security service provider, possibly as a condition imposed by some authority. The vulnerability scan involves the use of automated network security scanning tools, whose results are listed in the report. As findings reflected in a vulnerability assessment report are not backed by an attempt to exploit them, some of them may be false positives.

Client Note: A solid vulnerability assessment report should contain the title, the description and the severity (high, medium or low) of each vulnerability uncovered. A mash of critical and non-critical security weaknesses would be quite puzzling, as you wouldn’t know which vulnerability to patch first.

Penetration Testing

In contrast to vulnerability scanning, penetration testing involves identifying vulnerabilities in a particular network and attempting to exploit them to penetrate into the system.

The purpose of penetration testing is to determine whether a detected vulnerability is genuine. If a pentester manages to exploit a potentially vulnerable spot, he or she considers it genuine and reflects it in the report. The report can also show unexploitable vulnerabilities as theoretical findings. Don’t confuse these theoretical findings with false-positives. Theoretical vulnerabilities threaten the network but it’s a bad idea to exploit them as this will lead to DoS.

Client Note: At the initial stage, a reputable provider of penetration testing services will use automated tools sparingly. Practice shows that a comprehensive penetration testing should be mostly manual.

During the exploiting stage, a pen-tester tries to harm the customer’s network (takes down a server or installs malicious software on it, gets unauthorized access to the system, etc.). Vulnerability assessment doesn’t include this step.

Penetration testing vs. vulnerability assessment at a glance

Which lays bare the differences between the two techniques:

How often to perform the service?

Vulnerability assessment: Once a month. Plus an additional testing after changes in the network.

Penetration testing: Once a year, at the least

What’s in the report?

Vulnerability assessment: A comprehensive list of vulnerabilities, which may include false positives.

Penetration testing: A “call to action” document. It list the vulnerabilities that were successfully exploited.

Who performs the service?

Vulnerability assessment: In-house security staff or a third-party vendor.

Penetration testing: A provider of penetration testing services.

What’s the value of the service?

Vulnerability assessment: Uncovers a wide range of possible vulnerabilities

Penetration testing: Shows exploitable vulnerabilities.

The choice of vendor

The differences between vulnerability assessment and penetration testing show that both information security services are worth taking on board to keep your network & computer infrastructure safe. Vulnerability assessment is good for security maintenance, while penetration testing discovers real security weaknesses.

It’s possible to take advantage of both services only if you contract a high-quality vendor, who understands and, most importantly – translates to the customer the difference between penetration testing and vulnerability assessment. Thus, in penetration testing, a good vendor combines automation with manual work and doesn’t provide false positives in the report. At the same time, in vulnerability assessment, the vendor uncovers a wide range of possible network vulnerabilities and reports them according to the customer’s business.