It amazes me how many people confuse the importance of vulnerability scanning with penetration testing. Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing on its own cannot secure the entire network.
Both are important at their respective levels, needed in cyber risk analysis, and are required by standards such as PCI, HIPAA, ISO 27001 etc.
Penetration testing exploits vulnerabilities in your system architecture while vulnerability scanning (or assessment) checks for known vulnerabilities and generates a report on risk exposure.
Both penetration testing and vulnerability scanning depend mostly on three factors:
- Risk and Criticality of assets
- Cost and Time
Penetration testing scope is targeted, and there is always a human factor involved. There is no such thing as automated penetration testing. It requires the use of tools, sometimes a lot, but it also requires an extremely experienced person to conduct the testing.
A good penetration tester always – at some point – crafts a script, changes the parameters of an attack, and/or tweaks the settings of the tools (s)he is using during a test.
Penetration testing can operate at the application- or network-level or be specific to a function, department, or number of assets. Alternatively, one can include the whole infrastructure and all applications. But that is impractical in a real world because of cost and time.
You define your scope on a number of factors, which are mainly based on risk and the importance of an asset. Spending a lot of money on low-risk assets that may take several days to exploit is not practical. After all, penetration testing requires high-skilled knowledge, and that’s why it is costly.
Additionally, testers often exploit a new vulnerability or discover security flaws that are not known to normal business processes, something which can take from days to few weeks. Because of its cost and its higher-than-average chance of causing outages, penetration testing is often conducted once a year. All reports are short and to the point.
On the other hand, vulnerability scanning is the act of identifying potential vulnerabilities in network devices, such as firewalls, routers, switches, servers, and applications. It is automated and focuses on finding potential and known vulnerabilities on network- or application-level. It does not exploit the vulnerabilities. Vulnerability scanners merely identify known vulnerabilities and hence are not built to find zero-day exploits.
Vulnerability scanning scope is business-wide and requires automated tools to manage the high number of assets. It is wider in scope than penetration testing. Product-specific knowledge is needed to effectively use the product of vulnerability scans, which are usually run by administrators or a security person with good networking knowledge.
Vulnerability scans can be run on any number of assets to ascertain known vulnerabilities. You can then use those scans to eliminate more serious vulnerabilities affecting your valuable resources quickly using vulnerability management lifecycle.
The cost of a vulnerability scan is low to moderate compared to penetration testing, and it is a detective control as opposed to a preventive measure like penetration testing.
Both vulnerability scanning and penetration testing can feed into a cyber risk analysis process and help determine controls best suited for the business, department, or practice. They must work together to reduce risk, but to get the most out of them, it is very important to know the difference, as each is important and has a different purpose and outcome.