Vulnerability Assessment & Penetration Test – What’s the Difference?

Posted on by Martin Quinn in Security Blog Leave a comment

By Samantha Woollard (Internet Security Specialist) – 19 December 2016

Vulnerability assessment or penetration test? Both are often confused and sometimes thought to be the same thing. However there are some major differences between them which are important to know when it comes to the security of your business.

A vulnerability assessment consists of detecting vulnerabilities, defining what they are, how they can affect your business and advice on remediation. This test is more about breadth than depth, to bring to light what vulnerabilities exist over your systems, rather than exploiting them. During a vulnerability assessment, scanners are used to pick up missing patches that need to be updated and other vulnerabilities that exist. Even though the scanners can pick up certain threats, they cannot think like an attacker. Because of this the system is also manually tested for other threats that require a human’s viewpoint and an attacker’s mind set.

A penetration test simulates what a real attacker would do. Using various tools and procedures, the key is to exploit a business’ system and get unauthorised access to critical information. It gives an extensive insight into how much risk your business is under. This test is more about depth than breadth. Rather than a list of vulnerabilities, the goal is to find out if someone can break in and if so, how far can they delve.

Vulnerability scanners should be used within your company and run frequently, especially when changes are put into place and new equipment is added. However, running these scans can often bring up false positives which can be a real headache for someone who does not have a background in security. How can you differentiate between the real vulnerabilities and the false positives? By having a vulnerability assessment, only the actual vulnerabilities will be brought to your attention along with other manually found threats. Both assessments are essential and be it the security of your network or web application, it is recommended that they each should undergo at least one vulnerability assessment and one penetration test a year. By completing both of these, you will get a comprehensive depiction of your business’ security holes.

Relax. Your Security is Intact.

Author: Intact Security