PenTest vs. VA: One Of These Things Is Not Like The Other

As a QSA, I’m often required to review the results of a vulnerability assessment and a penetration test as part of an overall security assessment. When I ask my clients for each report, I often get this response:

“Aren’t they the same?”

They aren’t. While somewhat similar in concept, they produce distinctly different results.

Penetration tests (commonly known as PenTests) are used to identify methods of exploiting vulnerabilities with the intention of finding security weaknesses in a system, potentially gaining access to it, its functionality and data. It’s a mainly manual process that can include vulnerability scanning and other automated tools. At the end of the engagement, an extensive report is generated. Its contains a description of each vulnerability verified and/or potential issue discovered. More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited. Examples of vulnerabilities include but are not limited to SQL injection, privilege escalation, cross-site scripting, or deprecated protocols. PenTest engagements may last days or weeks depending on the scope of the tests and size of the environment to be tested. Tests may grow in time and complexity if efforts uncover additional exploits.

Vulnerability scans (commonly known as VAs) identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system and/or network. Typically a variety of automated tools are used in combination with manual verification of identified issues. These tools list the potential risks posed by known vulnerabilities, ranked in accordance with NVD-CVSS base scores that are associated with each vulnerability. Scans usually take a short amount of time, which can range from several seconds to several minutes per scanned host.

A vulnerability assessment should be performed regularly to identify and remediate known vulnerabilities on an ongoing basis. A penetration test should be performed at least annually and after significant changes in the information systems environment to identify exploitable vulnerabilities in the environment that may give a hacker unauthorized access to the system.

While vulnerability assessments and penetration tests are a requirement for PCI DSS compliance, it would be beneficial for companies to include the procedures in their overall security program even if they aren’t required to be PCI compliant. When used in conjunction with each other, they are an excellent indicator of a company’s security posture.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.