I ran into an excellent presentation done by Ernest Lopez & Matt Linton of NASA on the VA/PT debate. As I delve into this rather innocuous sounding issue, let me tell you that it is not. As a responsible security team we have absolute nightmares when this term is used interchangeably and we have to assume on behalf of the customer as to what it could be!
My educated hunch on why this happens:
1. Lack of awareness of what constitutes a security assessment, just that one is required!
2. PT or penetration testing as a term is less technical than a VA – Vulnerability assessment!
3. The industry accepted notation of them is “VA/PT” which suggests that they are interchangeable terms!
4. Security teams for the fear of losing business do not dare to differentiate between the two!