Penetration testing vs Vulnerability assessment

What is Vulnerability assessment?

  • Identify the security loopholes in a network or systems
  • Estimate how susceptible the network is to different vulnerabilities           

3 different ways to scan the network: -

  • Network scanning - Network scanning involves detecting all active hosts on a network and mapping them to their IP addresses. Port scanning refers to the process of sending packets to specific ports on a host and analyzing the responses to learn details about its running services or locate potential vulnerabilities.
  • Authenticated scanning - An authenticated security scan is vulnerability testing performed as a logged-in (authenticated) user. The method is also known as logged-in scanning. ... The method finds many vulnerabilities that cannot be detected through an unauthenticated scan.
  • Passive scanning - Passive scanning is a method of vulnerability detection that relies on information gathered from network data that is captured from a target computer without direct interaction.

Scanners do only known vulnerabilities and don’t unknown vulnerabilities.

What is Penetration testing?

  • Determine if a “weak-point” is indeed a vulnerability
  • Confirm that exploiting the vulnerability can result in data exposure, application compromise, and/or infiltration of the system and ultimately the network.

3 major parameters should be defined before penetration testing begins

  • Scope 
  • Prioritize
  • Approach

Types of Pen testing

  • Black box – Testers don’t have any prior knowledge of the testing target; using unique skillset to perform testing
  • Grey box – Testers have partial knowledge of the testing network, including basic information of testing network system and system configuration, possibly limited credentials and application configuration
  • White box – Testers have complete knowledge of the testing target. Requires in-depth understanding of the testing network or system and gives better results.

Vulnerability assessment is performed by an automated software program whereas Penetration testing is done by manual human effort

VuVulnerability Software Program               Penetration testing - Creativity

Known exploit process                                    Unknown exploit process

Opens a browser interface                              Enumerates a vulnerability

Runs hacking script                                         Analyze results of an attack

Captures output                                              Performs additional attack from findings

Finds & Expolits vulnerability                          Exploits vulnearbility further to find more attacks.

Report findings                      

  • Vulnerability assessment – Highly scalable, enabling frequent scanning. Monthly, or weekly, or daily
  • Penetration testing – Frequency dependent on the availability of testing teams. Annually, some organizations run quarterly.
Rate this article: 
Average: 2.6 (8 votes)
Article category: