Vulnerability Assessment vs Penetration Testing

What’s the difference between a Vulnerability Assessment (VA) and a Pen Test?

As always, “industry standard” terms mean different things to different people. To us here at Blanket Security, the difference is in the client’s desired business outcome and how mature their in-house security processes are. But in a nutshell, A vulnerability assessment is an automated scan along with some analysis to give an holistic view of the identified assets/websites. A pen test tries to complete a stated client objective – for example “Attempt to steal the credit card details stored on our server.”

The Vulnerability Assessment
A Vulnerability Assessment will consist of a number of steps – scanning, analysis, remediation re-scanning, (etc.). The scan component uses automated tools to probe the target assets and match what it finds with a database of known vulnerabilities. For example, if a particular version of Apache is detected (eg. via grabbing a HTTP header, footer or error message) and there are known problems with that particular version, then the target is considered to be vulnerable. The scan generally goes no further than this.

The initial analysis component can be partially done in software, but todays scanners are limited to taking a vulnerability severity and applying a fudge factor to arrive at a business risk rating for each asset. This then needs a level of human analysis to ensure the validity of each vulnerability detected and to verify the business impact. For example the automated tool might discover a vulnerability that is assessed as low (eg. data is accidentally leaked in a HTTP error message) but might be a critical business risk (the data just happens to be customer names and addresses).

The next part of the analysis is performed by looking at the vulnerabilities and devising a way to remediate each issue and recommending an order in which remediation should occur.

Signature based scanning the type of which is used in a vulnerability scan relies on a database of vulnerabilities that is accurate and up-to-date. All vulnerability scanning vendors retain research teams which are continually researching new vulnerabilities and adding them to the list of signatures the scanners use.

Penetration Testing
The pen test on the other hand, has a clearly stated objective – eg. steal the credit cards. The pen test will include a vulnerability assessment component, usually used in initial reconnaissance. The vuln scan may not be a “full spectrum” scan, it may only have been run long enough to get the info required to exploit the system. The pen test is focused on the objective only – to the (almost) detriment of everything else. So long as the objective is met (steal the data), the fact that there are 10 other open holes in the system is less important.

There is also less analysis in a pen test. Your report will contain information about how the data was stolen (or what was attempted if the objective wasn’t met) and a lot less about other vulnerabilities discovered. Pen testing is more akin to pure hacking, using a formal methodology and process.

So put simply, A Vulnerability Assessment shows you where all the vulnerabilities should be, a pen test shows you where one particular vulnerability IS (and shows you how it was done).

Which one you require depends on your needs and how much in-house security you have (if any). An organisation that knows they need help, but doesn’t know where to start can start with a vulnerability assessment and then put in place a process or use our vulnerability scanning managed service for ongoing scanning and reporting. A customer that believes their defences are in place, but wants them tested can contact us for a security pen test.