Pentesting vs Vulnerability Scanning

Two very different ways to test your systems for vulnerabilities. 

Gary Glover, Dir of Security Assessment at SecurityMetrics
By: Gary Glover
Penetration testing and vulnerability scanning are often confused for the same service. The problem is, business owners purchase one when they really need the other. Let me explain how they differ.


Pentesting vs Vulnerability ScanningA vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system.

Let’s dive a little deeper.

What is a vulnerability scan?

Also known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses, also known as vulnerabilities. These scans are typically automated and give a beginning look at what could possibly be exploited.

High-quality vulnerability scans can search for over 50,000 vulnerabilities and are required as per PCI DSS, FFIEC, and GLBA mandates.
Vulnerability Scanning
Vulnerability scans can be instigated manually or on an automated basis, and will complete in as little as several minutes, to as long as several hours.

Vulnerability scans are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. It’s up to the business owner or his/her IT staff to patch weaknesses on a prioritized basis, or confirm that a discovered vulnerability is a false positive, then rerun the scan.

To ensure the most important vulnerabilities are being scanned for, vulnerability scans should only be conducted by a PCI Approved Scanning Vendor, or ASV.

See Also: Spotting Vulnerabilities – Is Vulnerability Scanning Antiquated?

Reporting
After scan completion, a report will generate. Typically, vulnerability scans generate an extensive list of vulnerabilities found and references for further research on the vulnerability. Some even offer directions on how to fix the problem.

The report identifies any identified weaknesses, but sometimes includes false positives. A false positive is when a scan identifies a threat that’s not real. Sifting through real vulnerabilities and false positives can be a chore, especially if many are falsely identified.

Benefits of a vulnerability scan
  • Quick, high-level look at possible vulnerabilities
  • Very affordable (~$100 per IP, per year, depending on the scan vendor)
  • Automatic (can be automated to run weekly, monthly, quarterly, etc.)
  • Takes minutes
Limitations of a vulnerability scan
  • False positives
  • Businesses must manually check each vulnerability before testing again
  • Does not confirm that a vulnerability is possible to exploit
See Also: Picking Your Vulnerability Scanner: The Questions You Should Ask

What is a penetration test?

A penetration test simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities. Actual analysts, often called ethical hackers, try to prove that vulnerabilities can be exploited. Using methods like password cracking, buffer overflow, and SQL injection, they attempt to compromise and extract data from a network.
Penetration Test, pentesting
Penetration tests are an extremely aggressive approach to finding and removing vulnerabilities. They are also required as per PCI DSS, FFIEC, and GLBA regulations.

SEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know

The cost of a penetration test is usually between $5,000 to over $70,000…but it depends on the extent of IP’s tested and the size of a web application. Learn more about the cost of penetration testing.

The main aspect that differentiates penetration testing from vulnerability scanning is the live human element. There is no such thing as an automated penetration test. All penetration tests are completed by very experienced, very technical, human beings.

Penetration testers are well versed in:
  • Black hat attack methodologies (e.g., remote access attacks, SQL injection)
  • Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet)
  • Web front-end technologies (e.g.,Javascript, HTML)
  • Web application programming languages (e.g., Python, PHP)
  • Web APIs (e.g., restful, SOAP)
  • Network technologies (e.g, firewalls, IDS)
  • Networking protocols (e.g., TCP/UDP, SSL)
  • Operating systems (e.g., Linux, Windows)
  • Scripting languages (e.g., python, pearl)
  • Testing tools (e.g., Nessus, Metasploit)
In short, penetration testers provide a deep look into the data security of an organization.

SEE ALSO: Different Types of Penetration Tests for Your Business Needs

Reporting
Typically, penetration test reports are long and contain a description of attacks used, testing methodologies, and suggestions for remediation.

Benefits of a penetration test
  • Live, manual tests mean more accurate and thorough results
  • Rules out false positives
  • Annual test, or after any significant change
Limitations of a penetration test
  • Time (1 day to 3 weeks)
  • Cost (around $4,000 to $20,000)

Which is better? A vulnerability scan or penetration test?

Both tests work together to encourage optimal network security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a very thorough way to deeply examine your network security. Yes, penetration tests are expensive, but you are paying a professional to examine every nook and cranny of your business the way a real world attacker would, to find a possibility of compromise.

I’d be happy to schedule some time to discuss a penetration test for your business.
Tweet this!
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

5 Things the Payments Industry Should Watch for in 2015

1 comment:

  1. I am happy to be here because this is a very good site that provides lots of information about the topics covered in depth. I’m glad to see that people are actually writing about this issue in such a smart way. Penetration testing is not harmful if we deal it professionally .

    ReplyDelete