Vulnerability Assessment vs. Penetration Test: The Showdown

I often hear confusion when it comes to the difference between a Vulnerability Assessment and a Penetration Test. These two terms are used interchangeably, though they should not be. While similar in many ways, there are distinct differences between the two. This post is an effort to help clarify the differences between the two, as well as give an example of when you might want to perform one and not the other.

First, what is a vulnerability? A vulnerability is "is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product." (a) So a vulnerability can be software related, hardware related, or even human related. The vulnerability can be at a desktop/client computing level, or at a network level. It can encompass a single computer or line of code, or be the culmination of many different systems.

What is a vulnerability scan? A vulnerability scan is often how we locate known vulnerabilities. A vulnerability scan will not find an unknown vulnerability. That is where the assessment portion comes in. As a security professional, when we perform an assessment, we should be doing much more than just regurgitating the results from a tool we use. We should be assessing the results from the tool. If the tool says your system is vulnerable to a specific vulnerability and the tool rates it as a medium finding, that may or may not be accurate.  A true assessment will look at the vulnerability and compare to the actual risk of the business.  There can be vulnerabilities in a system, but if there is no risk with the vulnerability, then the severeness can be lessened.

The process of assessing the vulnerability scan results is the important distinction between the Vulnerability Scan and Vulnerability Assessment.  The Vulnerability Assessment is a good starting point to determine where there are weaknesses in your environment, and should be performed periodically, and remediated!  But what if you want a clearer picture of your actual vulnerabilities?  What if you want to know what would happen if an attacker was able to break in to your system?  What if you wanted to know the true impact of the vulnerabilities?  Then you would want a Penetration Test.

A Penetration Test takes the vulnerability assessment and takes it a step further.  A penetration tester will actually attempt to exploit the vulnerabilities found to determine if they do pose a risk to your environment or not.  (Some vulnerabilities are not exploitable and some that are, will never show on a vulnerability scan result, such as social engineering)  A good penetration tester will review the results from a vulnerability scan and figure out what s/he can exploit.  Then the penetration tester will attempt exploits and eventually may find a way in.  (This of course depends on the scope and rules of engagement that they should NEVER deviate from)  Once in, the (good) penetration tester will keep pivoting around to find all the vulnerabilities they can exploit and all the data they can pilfer (Again, assuming that this is all in scope and under the rules of engagement).  The penetration tester then compiles a report, similar to the vulnerability assessment, but it will be more detailed and give a clear view of what they did and how the did it.  You can then take that report and be able to follow along to see how they got in, but also use it to fix the vulnerabilities found.

So how do you determine what your business needs?  Do you need the Vulnerability Assessment or a full-blown Penetration Test?  I am not sure I can answer this question for you.  You need to determine if you feel you have taken the steps to remove as many vulnerabilities as possible.  You need to have protections in place as well as monitoring to detect anomalies.  A great place to start is by visiting SANS' Top 20 Critical Security Controls (here).  This list will help you determine where your business stands in regards to protecting your network.  I believe the list is ordered in a perfect way to determine if you are ready for a penetration test.  (You will notice that Penetration Test is last on the list)  The penetration test should be done, I am not saying it should not, but you should strive to put as many of the other protections in place prior to engaging in this way.  Otherwise it is likely that your test results will be so overwhelming that you will not even be able to fix all the problems found in the penetration test.  (Also you will likely have to implement the controls to remidiate the findings anyways, so why waste the time and money on the Penetration Test when you can simply implement first)

What any of these assessments come down to is to better protect your company and its assets.  That is why we do what we do.  We may love what we do, but if it does not help protect our company, then it is not worth it in the end.  Stay safe out there.

(a) -


Popular Posts