Vulnerability Assessments vs Penetration Testing

There are many instances where I have had discussions with an organization asking about the difference between a Vulnerability Assessment and a Penetration Test. So I thought I would take a shot at identifying the differences between the two types of testing.

Vulnerability Assessment is the process of identifying vulnerabilities on a network using a series of automated tools that scan the network for known weaknesses. A penetration test is focused on actually exploiting those weaknesses to gain unauthorized access to the tested systems or data (as directed by the client). A vulnerability assessment provides an overview of the flaws that exist on the system while a penetration test goes on to provide an impact analysis of the flaws, and identifies the possible impact of those flaws on the underlying network, operating systems, databases etc.

Vulnerability Assessments use scanners to identify vulnerabilities that are known to report a great amount of false positives. In Penetration testing, there is human intervention to exploit vulnerabilities, thus eliminating false positives. Vulnerability Assessments are more of a passive process. In vulnerability assessment you use software tools that analyze both network traffic and systems to identify any exposures that increase vulnerability to attacks. Penetration testing is an active practice wherein ethical hackers are employed to simulate an attack and test the network and systems’ resistance.

Vulnerability assessments deal with potential risks, whereas penetration testing is actual proof of concept. Vulnerability assessments are just a process of identifying and quantifying the security vulnerabilities in a system. Vulnerability assessments do not provide validation of security vulnerabilities. Validation can be only done by conducting a penetration test.

The scope of a Penetration Testing can vary from a Vulnerability Analysis, to fully exploiting the targets, to destructive testing. Penetration Testing consists of a Vulnerability Analysis, but it goes one step ahead where in you will be evaluating the security of the system by simulating an attack usually done by a malicious hacker. For instances, a Vulnerability Assessment exercise might identify absence of anti-virus software on a system or open ports as a vulnerability. However, a penetration test will determine the level to which existing vulnerabilities can be exploited, and the damage that can be inflicted due to this.

A vulnerability assessment answers the question: “What are the present vulnerabilities and how do we fix them?” Penetration testing simply answers the questions: “Can any external attacker or internal intruder break-in, and what can they attain?”