Vulnerability scanning and penetration testing are both testing methods that can be used to identify security vulnerabilities, but these testing methods each offer different benefits and are suitable for different applications. A penetration tester might run a scan during testing, but not vice versa. It’s a common misconception that the value offered by each of these methods is comparable or interchangeable. This summary explains the differences.
What is a vulnerability scan?
A vulnerability scanner is a program that checks your services for weak versions or weak configurations based on known signatures. In some cases, the scanner also checks if a weak version could be exploited. The scanner operates externally and scans the system according to this pattern:
- Identify service
- Identify service-version
- Check DB for known vulnerabilities based on the version
- Run the script that checks the vulnerability
The scanner generates a report that includes a generic description of the vulnerability and a generic security recommendation. If something happens to disrupt the flow of the pattern, the rest of the pattern will not be executed. For example, if the service version were tempered to show a non-standard format, no vulnerabilities would be evaluated because none would match the version that is stored in the DB.
What is a penetration test?
A penetration test is a system test that simulates a hacker attempting to get into your system or server. The only difference is that the tester has no ill intentions and will generate a detailed report of their findings after. The report will include an explanation of the vulnerability in the context of the business. The point of penetration testing is to identify and locate vulnerabilities and provide a proof of concept (POC).
Understanding Logical Procedures
A scanner cannot understand undescribed processes, so it could overlook problematic but logical manipulations, like an e-commerce store allowing users to bypass the payment process to submit a purchase without paying. A penetration tester or “pentester” can identify these logical manipulations and save the client from potentially severe losses.
A scanner can recognize the face value of a vulnerability but not the potential impact it can have on the business. For example, if a scanner found a web page that contains customer contact information, it might mark it as a low or medium vulnerability because there are exposed email addresses. A pentester would understand that this information could be the target of malicious intent because it can be sold to competitors, which would put the business at risk of losing clientele.
A scanner report includes generic descriptions of the vulnerabilities it identifies and generic recommendations for alleviating those vulnerabilities. This can present a problem when the client cannot follow a recommendation because it is not aligned with their needs. The description might not be specific or detailed enough for the client to work out an alternative solution independently. A pentester report provides a designated description of each vulnerability with recommendations customized to the client’s needs. It might also offer alternative suggestions when the primary recommendation might interfere with the client’s needs. The pentester’s report will also include POC. Scanners rarely provide POC and tend to have more false positives that can lead to wasted resources.
The scanner is easy to operate, faster than a human, and covers significantly more ground but yields generic results. A pentest requires kickoff and boundary settings but yields more detailed, dependable, and applicable results. The price of the vulnerability scan and the penetration test will both depend on the service provider. In most cases, the scanner is a cheaper option. There are also free scanners available on the market. Again, the results achieved by the scanner are not as valuable as the penetration test, so businesses should consider the value relative to the cost.
A vulnerability scan can be a valuable tool for covering a broad area with shallow testing. It’s “an inch deep but a mile wide.” Penetration testing can be as deep and thorough as you need it to be but has lower coverage because of its human nature. However, a penetration tester is a skilled professional who can target the most crucial aspects of your system.