Penetration Testing or Vulnerability Assessment – Which one should I choose?

penetration testing or vulnerability assessmentIn this post we will take a quick look at the differences between vulnerability assessment (VA) and penetration testing (PT). Furthermore, we’ll give a set of questions that should help you decide which service is the best choice for your particular case.

So let’s say you want to improve the security of your internal network infrastructure and you have to choose between VA and PT – offered by your favorite consultancy firm. First of all, let’s see what they are.

Vulnerability Assessment – is the process of identifying and prioritizing technical vulnerabilities which affect a target system or network. It is mainly done automatically using a vulnerability scanner and it’s usually aimed at a wide area of machines. The purpose of a VA is to find as many vulnerabilities as possible in the given time frame. Optionally, manual validation may be included for the critical findings but this is not usually done when a high number of vulnerabilities are involved.

Penetration Testing – is a goal-based simulation of a real attack. The pentesters will search for a chain of vulnerabilities in the target system/network and exploit them to reach their target (e.g. gain access to a client database, obtain sensitive information, gain Domain Admin, etc). The pentest report will contain only the vulnerabilities encountered during the attack against the target and no additional checks are being made. However, the reported vulnerabilities are 100% validated and their risk for the business is accurate.

Neither VA, nor PT should be confused with the security audit which is a totally different service.

Continue reading

5 Benefits of a penetration test

benefits of penetration test imagePenetration testing projects are definitely fun for the passionate pentesters.

However, the question is what are the real benefits of a pentest for the client company?

What is the real value of a penetration test?

 

Many clients have misconceptions and false assumptions about penetration testing and they are engaging this type of projects for the wrong reasons, like:

  • After a penetration test I will be safe
  • A penetration test will find all of my vulnerabilities
  • I’ve heard that pentesting is ‘sexy’ so I would like one myself

Companies who do penetration tests for these reasons do not get the real benefits of this service and they are practically throwing away the money.

From my perspective, a penetration test has the following true benefits for the client company:

Continue reading