Skip to content ↓ | Skip to navigation ↓

It amazes me how many people confuse the importance of vulnerability scanning with penetration testing. Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing on its own cannot secure the entire network.

Both are important at their respective levels, needed in cyber risk analysis, and are required by standards such as PCI, HIPAA, ISO 27001 etc.

Penetration testing exploits vulnerabilities in your system architecture while vulnerability scanning (or assessment) checks for known vulnerabilities and generates a report on risk exposure.

Both penetration testing and vulnerability scanning depend mostly on three factors:

  1. Scope
  2. Risk and Criticality of assets
  3. Cost and Time

Penetration testing scope is targeted, and there is always a human factor involved. There is no such thing as automated penetration testing. It requires the use of tools, sometimes a lot, but it also requires an extremely experienced person to conduct the testing.

A good penetration tester always – at some point – crafts a script, changes the parameters of an attack, and/or tweaks the settings of the tools (s)he is using during a test.

Penetration testing can operate at the application- or network-level or be specific to a function, department, or number of assets. Alternatively, one can include the whole infrastructure and all applications. But that is impractical in a real world because of cost and time.

You define your scope on a number of factors, which are mainly based on risk and the importance of an asset. Spending a lot of money on low-risk assets that may take several days to exploit is not practical. After all, penetration testing requires high-skilled knowledge, and that’s why it is costly.

Additionally, testers often exploit a new vulnerability or discover security flaws that are not known to normal business processes, something which can take from days to few weeks. Because of its cost and its higher-than-average chance of causing outages, penetration testing is often conducted once a year. All reports are short and to the point.

On the other hand, vulnerability scanning is the act of identifying potential vulnerabilities in network devices, such as firewalls, routers, switches, servers, and applications. It is automated and focuses on finding potential and known vulnerabilities on network- or application-level. It does not exploit the vulnerabilities. Vulnerability scanners merely identify known vulnerabilities and hence are not built to find zero-day exploits.

Vulnerability scanning scope is business-wide and requires automated tools to manage the high number of assets. It is wider in scope than penetration testing. Product-specific knowledge is needed to effectively use the product of vulnerability scans, which are usually run by administrators or a security person with good networking knowledge.

Vulnerability scans can be run on any number of assets to ascertain known vulnerabilities. You can then use those scans to eliminate more serious vulnerabilities affecting your valuable resources quickly using vulnerability management lifecycle.

The cost of a vulnerability scan is low to moderate compared to penetration testing, and it is a detective control as opposed to a preventive measure like penetration testing.

Both vulnerability scanning and penetration testing can feed into a cyber risk analysis process and help determine controls best suited for the business, department, or practice. They must work together to reduce risk, but to get the most out of them, it is very important to know the difference, as each is important and has a different purpose and outcome.

SANS White Paper: Security Basics
  • Way too often, it is the CLIENT who misunderstands what a penetration test is.
    If this is the first time dealing with a specific client who wants a ‘pen test’ I ask them:
    Do you want a $3000 / 12 month pen test? (aka: external vulnerabilities scan), Do you want a one time $7500 Web pen test (aka: Single Web Application Security Test) of a $15000 one time ‘penetration test’.

    This opens the discussion, usually what 12 of them cost $3000 and one of them costs $15K.
    I explain: $3k gets you 12 automated tests. The automated tests do a really good job of finding out most of the mis-configurations, missing patches and other issues that hackers can exploit.

    The $15K test should ONLY be done after you close all the holes found in the vulnerabilities scan. No sense paying someone a lot of money if you are going to make it easy for them.

    ‘back in the day’ (late ’90s’) a pen test was a ‘plant the flag’. You get in, you get paid.
    Easiest $15K to make. Just find the CFOs house, get his 56bit wifi key, now you are on the corporate network.

    Always start with an automated scan. That will help you discuss the scope of the next step with the client.

    If you find custom web applications that would have sensitive information, then also recommend a web app test of that application.

    If you find NOTHING, and the client wants additional testing, then go for the pentest.
    (note: pricing is just budgetary and as an example for comparison, someone with a huge network will pay more)

<!-- -->