Outside of the security industry, the terms penetration testing and vulnerability scanning are often used interchangeably. The reason for this is usually because owners and senior staff in smaller and medium businesses aren’t particularly well versed in the world of cybercrime, but are still in charge of their organisation’s security. In some cases, businesses will pay for what they think is a penetration test and actually receive a vulnerability scan.
Misunderstanding these terms can put your business at serious risk and also cost you a lot of money. So, what is the difference between a penetration test and a vulnerability scan, and which is best for your business?
What is vulnerability scanning?
Vulnerability scanning does exactly what it says on the tin – it’s the process of automatically scanning a business for vulnerabilities that are known within the security industry. Once the scan has been completed, a report that lists each vulnerability and recommends the next steps will be produced. A vulnerability scan should be performed on a continuous basis as new equipment, such as hardware or software, is added to a business’s network to give an indication of areas of weakness which need to be addressed.
What is penetration testing?
A penetration test differs from a vulnerability scan in that it doesn’t simply identify vulnerabilities, but actually attempts to exploit them. Basic penetration tests can be completed using automatic tools, but the most effective method is to combine automatic processes with human expertise. In these kinds of tests, a person will essentially hack a business’s network to see what information they can access and discover the depth of a problem. With penetration testing, the process is usually not complete until a vulnerability is successfully exploited and the ‘hacker’ has gained access.
What are the differences between vulnerability scanning and penetration testing?
| Area | Vulnerability scanning | Penetration testing |
| Testing | Run automatically by computer software
Standardised and permits only minor customisation Vulnerabilities are not exploited Only looks at common vulnerabilities and a limited number of areas Unable to understand business logic |
Conducted by security professionals
Customised on a test-by-test basis to meet client requirements Vulnerabilities exploited to reveal the full impact of each issue Creative process benefiting from the tester’s experience Simulates the behaviour and thinking of a real-world attacker Analyses the logic behind a system and recognises logic flaws |
| Analysis | Includes potential and unverified vulnerabilities
Includes false positives Risks are generalised and do not take into account the system architecture |
Professionally interpreted to remove false positives and understand the real risks associated with each vulnerability |
| Reporting | Automatically generated
Often unclear and may be 100+ pages |
Written by security experts and tailored to client systems and applications
Clear and concise Includes high-level summary of findings |
| PCI DSS | Satisfies PCI DSS 11.2 | Satisfies PCI DSS 11.3 |
Which is best for my business?
The short answer is both. However, you need to understand what it is you will be gaining from each.
There are lots of reasons a business should undertake a vulnerability scan. It’s essential to examine your assets – including networks, servers, websites, applications etc. – to identify the strengths and weaknesses of each. Keeping this information up to date by doing a scan regularly and as you add new components to your network is essential. However, there are a few things to be aware of when it comes to vulnerability scans. The first is that they can throw up ‘false positives’, meaning that something can be a bigger weakness than the scan suggests. Another is that these scans only search for known vulnerabilities – this can out your business at risk of other threats that aren’t as common, aren’t known about, or simply aren’t being scanned for by the software.
The final thing to be aware of is that knowing your network is vulnerable to a certain threat is only useful if you understand the depth of the problem, how it will affect your business in real terms, and what you can do about it.
This is where penetration testing comes in. Rather than simply identifying your security weaknesses, a penetration test finds out if someone could actually exploit them and what is at risk if they gain access. They are also the best solution for identifying vulnerabilities that are harder or even impossible to detect with automated vulnerability scanning software. Perhaps most importantly, a penetration test proves the severity of a problem and identifies what you need to do in order to prevent a real-life attack, which can help with evidencing the need for investment in security technology to managers and customers alike.
While a vulnerability scan is an important routine piece of work that provides insight into your business’s security hygiene, undertaking a full penetration test which builds on the results of your scan at least once a year is an investment into your business’s real-life security.
