Two very different ways to test your systems for vulnerabilities. 

Gary Glover, Dir of Security Assessment at SecurityMetrics
By: Gary Glover
Penetration testing and vulnerability scanning are often confused for the same service. And, business owners sometimes purchase one when they really need the other. 



A vulnerability scan is an automated, high-level test that looks for and potential vulnerabilities. A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system.  Both types of testing can be performed on systems exposed to the Internet or only exposed on your internal network.

This post will dive deeper into the differences between the two tests.

What is a vulnerability scan?

pentest, pen testing, penetration test, vulnerability scanAlso known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses. These scans are typically automated and give a first look into what vulnerabilities are present and could possibly be exploited.

High-quality vulnerability scans can search for over 50,000 vulnerabilities and are required by some cyber security mandates (PCI DSS, FFIEC, and GLBA, etc.) but regardless of requirements, this type of scanning is a mainstay of cybersecurity threat prevention for any company wanting to protect their digital data.

Vulnerability scans can be instigated manually or scheduled on an automated basis, and will complete in as little as several minutes, to as long as several hours.  These scans should be conducted at a minimum on all systems exposed to the Internet (for example, web servers, mail servers, etc. living in a DMZ).  To be thorough they should also be conducted on all systems exposed on your internal network to detect vulnerabilities that could be exploited by data thieves if they happen to get past your edge defenses.

Vulnerability scans are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. It’s up to the business owner or his/her IT staff to patch weaknesses on a prioritized basis or confirm that a discovered vulnerability is a false positive, then rerun the scan.

To ensure the most important vulnerabilities are being scanned for, vulnerability scans should be conducted by a skilled team or well-known vulnerability scanning company. In the case of PCI DSS compliance you must use a PCI Approved Scanning Vendor, or ASV.

See Also: Spotting Vulnerabilities – Is Vulnerability Scanning Antiquated?

Reporting
After scan completion, a report will generate. Typically, vulnerability scans generate an extensive list of vulnerabilities found and references for further research on the vulnerability. Some even offer directions on how to fix the problem.

The report identifies any identified weaknesses, but sometimes includes false positives. A false positive is when a scan identifies a threat that’s not real. Sifting through real vulnerabilities and false positives can be a chore, especially if many are falsely identified.

Benefits of a vulnerability scan
  • Quick, high-level look at possible vulnerabilities
  • Very affordable (~$100 per IP, per year, depending on the scan vendor)
  • Automatic (can be automated to run weekly, monthly, quarterly, etc.)
  • Takes minutes
Limitations of a vulnerability scan
  • False positives
  • Businesses must manually check each vulnerability before testing again
  • Does not confirm that a vulnerability is possible to exploit
See Also: Picking Your Vulnerability Scanner: The Questions You Should Ask

What is a penetration test?

pentesting, pen test, penetration test, vulnerability scanA penetration test simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities. Actual analysts, often called ethical hackers, try to prove that vulnerabilities can be exploited. Using methods like password cracking, buffer overflow, and SQL injection, they attempt to compromise and extract data from a network.
Follow for more data security articles like this

Penetration testing of both external and internal systems is a very effective approach to finding vulnerabilities that need to be removed and is considered an essential element of any good security program. This type of testing is required as per PCI DSS, FFIEC, and GLBA regulations.


The cost of a penetration test can run between $5,000 to over $70,000, but it depends on how many IPs are tested and the size of tested web applications. Learn more about the cost of penetration testing.

The main aspect that differentiates penetration testing from vulnerability scanning is the live human element. There is no such thing as an automated penetration test. True penetration tests are conducted by real people.

Penetration testers are well versed in:
  • Black hat attack methodologies (e.g., remote access attacks, SQL injection)
  • Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet)
  • Web front-end technologies (e.g.,Javascript, HTML)
  • Web application programming languages (e.g., Python, PHP)
  • Web APIs (e.g., restful, SOAP)
  • Network technologies (e.g, firewalls, IDS)
  • Networking protocols (e.g., TCP/UDP, SSL)
  • Operating systems (e.g., Linux, Windows)
  • Scripting languages (e.g., python, pearl)
  • Testing tools (e.g., Nessus, Metasploit)
In short, penetration testers provide a deep and detailed look into the data security of an organization.


Reporting
Typically, penetration test reports are long and contain a description of testing methodologies, attacks used, detailed findings, and suggestions for remediation.

Benefits of a penetration test
  • Live, manual tests mean more accurate and thorough results
  • Rules out false positives
  • Usually performed annually or after a significant change
Limitations of a penetration test
  • Time (1 day to 3 weeks)
  • Cost ($5,000 to $70,000)

Which is better? A vulnerability scan or penetration test?

Both tests work together to validate optimal network security. Vulnerability scans are for weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough way to deeply examine your network security. Yes, penetration tests are expensive, but you are paying a professional to examine every nook and cranny of your business the way a real-world attacker would.

The difference is comparable to that between a fuzzy x-ray image and a clear, 3-D MRI. X-rays are great for small, quick problems (V/A scan) but an MRI (PenTest) is needed for deeper, more complicated problems. Get an MRI for your network.


Gary Glover (CISSP, CISA, QSA, PA-QSA) is Senior Vice President of Assessments at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you visit his other blog posts.