Businesses often perceive vulnerability scanning as an alternative to penetration testing. This perception is wrong. An organization conscious of cybersecurity must include both these activities in their business processes and make sure that they work in unison. Missing out on one of them greatly decreases the security posture, both for web application security and network security. Penetration tests and vulnerability scans are also perceived separately as compliance requirements (for example, for the Payment Card Industry Data Security Standard – PCI DSS, ISO 27001, or HIPAA compliance). Let’s have a look at the key differences between penetration testing and vulnerability scanning and their place in the cybersecurity ecosystem.

What is penetration testing?

During a penetration test, a trusted professional imitates the activities of a real-world black-hat hacker and attempts to find potential vulnerabilities and misconfigurations, exploit weaknesses, and infiltrate business assets by using manual tests. Such tests are designed to work exactly like cyberattacks but are carefully prepared not to impact information security. This trusted professional, called a pentester, may be a part of the internal security team or hired through an external company. If the penetration test results in a security breach, the security professional provides detailed vulnerability assessment and penetration testing reports so that the business may eliminate the vulnerability that led to the breach.

For many reasons, businesses often choose to outsource penetration tests. First of all, an external entity has a more objective perception of the tested systems. Second of all, not many businesses can find security professionals specializing in pen testing, employ them full-time, and provide them with enough work on a regular basis. Third of all, a business that provides comprehensive security services including risk assessment and penetration testing services has much more experience and a much larger expert base.

Penetration testers can’t automate their work. They use some security tools such as manual vulnerability assessment and penetration testing tools to perform attacks (for example, Metasploit). They may also use techniques such as social engineering (including phishing) to evaluate the security posture of the company staff.

Penetration tests are sometimes considered to be more thorough than vulnerability scans but in reality, they cover a different scope of vulnerabilities. Pen testing focuses on that, which cannot be discovered automatically, for example, on business logic vulnerabilities and new vulnerabilities (zero-day). You cannot expect that a vulnerability scan will be a part of a penetration test.

Bounties vs penetration testing

Some companies believe that bounties are a good alternative to regular security testing. Bounties encourage freelance ethical hackers to attempt to breach your security controls so that they are awarded a prize for such a successful attempt. However, you cannot guarantee that talented white-hat hackers will know about your bounty or choose to pursue it, therefore bounties are unpredictable.

Bounties are not a viable alternative to penetration testing but they are a valuable addition. A security-conscious business should have a public disclosure policy with suitable bounties. However, regular penetration tests must also be performed nevertheless.

What is vulnerability scanning?

A vulnerability scan is an activity performed by an automated tool with minimum human assistance. By design, vulnerability scans should be performed on schedule and automatically as part of the software development lifecycle. Such a security scan is designed to find known problems although the vulnerability testing scope greatly depends on the chosen vulnerability scanning tool.

A vulnerability scanner discovers the structure of the scanned asset (some professional tools even discover existing assets) and then attempts a series of automated tests on each element of that structure. Simple tools use only signature-based scanning but more advanced tools attempt attacks similar to those done during penetration testing. Such vulnerability scanning is often referred to as automated penetration testing.

Professional tools also include vulnerability assessment and vulnerability management functionality and work with early mitigation technologies such as web application firewalls. With such tools, you can decide which vulnerabilities need to be addressed first and you can also monitor the remediation processes. This way, you can be sure that the major security risks are eliminated quickly and effectively.

How often to perform security assessments?

Once a business implements a vulnerability scanning solution, there is no limit as to how often such scans can be performed. The only concern is that such scans may be resource-intensive and therefore businesses often chose to perform them during off-hours for production assets. Professional vulnerability scanning solutions are also made to be integrated into the software development lifecycle and therefore such tests may be performed after every source code change using a continuous integration solution.

On the other hand, penetration tests are very time-consuming, costly, and resource-intensive. That is why they are usually performed once every few months or in bigger intervals.

SHARE THIS POST
THE AUTHOR
Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.