What is Penetration Testing?
Penetration testing (also known as ethical hacking or pentesting) is a technique used to detect security vulnerabilities in computer systems, networks, or web applications that might be exposed to attackers.
Penetration testing can be performed manually, or automatically using software tools. Either way, the process involves gathering information about the target, identifying potential entry points, performing a virtual or actual intrusion, and reporting the results to the organization.
The main purpose of penetration testing is to identify security vulnerabilities. Penetration testing can also be used to test an organization’s ability to identify and respond to an incident, the effectiveness of its security policies, its ability to meet compliance requirements, and employee security awareness.
A penetration tester collects information on security vulnerabilities discovered or exploited, and provides it to the organization’s IT and security teams, allowing them to make strategic decisions and prioritize vulnerabilities to fix.
Penetration testing is sometimes called white hat hacking, because it is similar to a real attack, but performed in good will on behalf of the organization.
What is Vulnerability Scanning?
Vulnerability analysis, also known as vulnerability assessment, identifies security vulnerabilities in computers, software applications, and networks. The analysis is usually automated, and provides information on security gaps that external attackers can exploit.
Vulnerability scanning tools can search for thousands of known vulnerabilities, and identify specific compliance issues for PCI DSS, HIPAA, GLBA, and other standards.
Scans can be performed manually or periodically at a scheduled time. A scan can take a few minutes to several hours to complete.
Vulnerability scanning is a passive security technique, because it is limited to the scope of the vulnerability report, and it is the responsibility of the company or IT staff to check if detected vulnerabilities are false positives (not a real security issue), and prioritize patching and remediation for real vulnerabilities.
When the vulnerability scan is completed, a detailed report is generated—this is a comprehensive list of common vulnerabilities which provides a baseline for further investigation. The report may also include instructions for remediating or patching vulnerabilities.
Penetration Testing vs. Vulnerability Scanning: What’s the Difference?
Pentesting and vulnerability testing differ in their goals, approach, types of vulnerabilities detected, and the tools they use.
How Can You Choose the Best Type of Test for Your Organization?
The simple answer is that most organizations should use both vulnerability scanning and penetration testing. However, you should understand the relative benefits of each method.
Pros of vulnerability scanning:
- Assets including networks, servers, websites, applications, etc. should be regularly examined to identify security gaps and weaknesses.
- It is important to keep this information up to date when adding new components to your network or changing configurations.
Cons of vulnerability scanning:
- Can produce false positives—many of the vulnerabilities detected may not represent a real threat
- Only look for known weaknesses—this leaves your systems exposed to unknown (zero day) vulnerabilities, uncommon threats, or threats that are not included in the scanning tool’s threat intelligence sources.
- Informs you that your systems are vulnerable to certain threats, but does not explain the actual impact on your business, and real priority of taking action.
Pros of penetration testing:
- Not only identifies security vulnerabilities, but also determines if someone can actually exploit them, and the risk of a real attack.
- Can identify vulnerabilities that are difficult or impossible to detect using automated vulnerability scanning software.
- Can demonstrate the severity of a problem and determine what steps to take to prevent an actual attack. This helps the organization justify the need to invest in security measures.
Cons of penetration testing:
- Expensive, and therefore typically not performed often
- Requires extensive setup and coordination with a penetration testing vendor
- Does not provide a baseline, difficult to compare to previous tests
Some of these downsides of penetration testing are addressed by a new model called penetration testing as a service (PTaaS).
Conclusion
Both penetration testing and vulnerability testing are extremely valuable for organizations. Both can help discover security vulnerabilities and remediate them to prevent cyber attack. However, it’s important to understand their relative advantages:
- Penetration testing is an in-depth, comprehensive review of an organization’s defenses, which can be performed only once in a while
- Vulnerability scanning is a relatively shallow test, but which is cheap and easy to perform, and can therefore be run on a regular basis
Combining both approaches to enjoy their relative advantages will be the right choice for most organizations.