Penetration Testing Vs Vulnerability Assessment

There is confusion around vulnerability assessment vs penetration testing. This is compounded by unscrupulous security vendors presenting (and pricing) a vulnerability assessment as a penetration test. Aside from poor ROI, this can give an organization a false sense of security, when in fact they have only received a basic level of service.

What is a Vulnerability Assessment?

It is an automated scan(s) followed by the generation of a report containing a prioritized list of the vulnerabilities found, the severity, and generic remediation advice. This is a useful auditing tool for the security team to remediate any errors that could allow a cybercriminal to gain access to the organization’s systems and sensitive data. The quality of the results is dependent on the quality/recency of the vulnerability scanning software and the ability of the security professional to interpret the results.

Is it different from Penetration Testing?

Penetration testing has a much greater potential breadth of scope and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attacks used by cybercriminals, targeting both known and unknown vulnerabilities.

Vulnerability assessments are often used to scope a penetration test or as a research tool during the reconnaissance phase of a penetration test. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach until they can provide proof of vulnerability through exploitation and gain access to the security systems or store sensitive information that a malicious attack could compromise.