Discuss the differences between a pentest (Penetration Test) and vulnerability assessment.
Today, vulnerability scanning and penetration tests are fairly common among larger IT organizations and they are becoming more common in smaller shops as well (2). Many information security professionals are familiar with the terms “‘vulnerability assessment” and “pentesting”. Unfortunately, in many cases, these two terms are incorrectly used interchangeably (1).
A vulnerability assessment is the process of finding and measuring the severity of vulnerabilities in a system. Vulnerability assessments yield lists of vulnerabilities, often prioritized by severity and/or business criticality (1).
Vulnerability assessments typically involve the use of automated testing tools such as web and network security scanners, whose results are typically assessed, and escalated to development and operations teams. In other words, vulnerability assessments involve an in-depth evaluation of a security posture designed to uncover weaknesses and recommending appropriate remediation or mitigation to remove or reduce risk (1).
In contrast, penetration testing is typically a goal oriented exercise(1). A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data(4). A pentest has less to do with uncovering vulnerabilities and is rather more focused on simulating a real-life attack, testing defenses, and mapping-out paths a real attacker could take to fulfill a real-world goal. In other words, a penetration test is usually about how an attacker is able to breach defenses and less about specific vulnerabilities (1). Don't use plagiarised sources.Get your custom essay just from $11/page
Penetration testing, like vulnerability assessment, also typically involves the use of automated vulnerability scanners and other manual pentest tools to find vulnerabilities in web applications and network infrastructure. While it may be more common in pentesting to chain and exploit vulnerabilities in order to accomplish the pentest’s goal, this can also be a characteristic of vulnerability assessment. Conversely, not all pentests include elements exploitation – in some cases, demonstrating an attack may be enough.
Since penetration testing tests security defenses across a path towards a goal, it is generally more useful when the target’s security maturity level is high – that is, when the target’s security defenses are believed to be strong. Penetration testing is an effective methodology of testing assertions about systems’ defenses with specific goals in mind(1).
Vulnerability assessment, on the other hand, is especially well suited in situations where there are known security issues, or when an organization which is not as security mature would like to get started. Alternatively, vulnerability assessment is an ideal methodology for organizations who have a medium-to-high security maturity and would like to maintain their security posture through continuous vulnerability assessment – especially effective when automated security testing is leveraged. Vulnerability assessments are, therefore, an approach which focuses on providing organizations with a list of vulnerabilities that need to be fixed, without evaluating specific attack goals or scenarios(1).
Vulnerability scanning and penetration testing are both critical to a comprehensive security strategy. They are powerful tools to monitor and improve an organization’s network environment(4).
(1). https://dzone.com/articles/the-difference-between-vulnerability-assessment-an
(2). https://www.redteamsecure.com/vulnerability-assessment-vs-penetration-testing/
(3). http://www.tns.com/PenTestvsVScan.asp
(4). https://www.secureworks.com/blog/vulnerability-assessments-versus-penetration-tests