In this post we will take a quick look at the differences between vulnerability assessment (VA) and penetration testing (PT). Furthermore, we’ll give a set of questions that should help you decide which service is the best choice for your particular case.
So let’s say you want to improve the security of your internal network infrastructure and you have to choose between VA and PT – offered by your favorite consultancy firm. First of all, let’s see what they are.
Vulnerability Assessment – is the process of identifying and prioritizing technical vulnerabilities which affect a target system or network. It is mainly done automatically using a vulnerability scanner and it’s usually aimed at a wide area of machines. The purpose of a VA is to find as many vulnerabilities as possible in the given time frame. Optionally, manual validation may be included for the critical findings but this is not usually done when a high number of vulnerabilities are involved.
Penetration Testing – is a goal-based simulation of a real attack. The pentesters will search for a chain of vulnerabilities in the target system/network and exploit them to reach their target (e.g. gain access to a client database, obtain sensitive information, gain Domain Admin, etc). The pentest report will contain only the vulnerabilities encountered during the attack against the target and no additional checks are being made. However, the reported vulnerabilities are 100% validated and their risk for the business is accurate.
Neither VA, nor PT should be confused with the security audit which is a totally different service.