Vulnerability Assessments and Penetration Tests: What’s the Difference?

A typical point of confusion for our clients and prospects is the difference between vulnerability assessments and penetration tests. While it’s common to administer the two in tandem, it’s also important to note the differences

During a vulnerability assessment, a technician or consultant scans a series of systems for vulnerabilities, then methodically removes false positives. Reports tend to be long and detailed, as the scan usually covers the entire network and lists all known vulnerabilities that stand a chance of being exploited. If a penetration test is going to be performed, as well, the information collected in this report will assist in determining which systems and vulnerabilities to focus on.

Generally speaking, penetration tests target high-risk vulnerabilities residing on assets that are of critical value to the organization. However, because penetration tests also carry a risk of system instability or disruption, it is unwise to execute a penetration test on a production system that cannot be taken offline under any circumstances. Industrial control systems (ICS) are a perfect example. In such cases, we often recommend testing in a development or other non-production environment.

Usually performed by a licensed (ethical) hacker, a penetration test simulates a true attack. The tester attempts to exploit known system weaknesses, with the goal of gaining root or administrative access and escalating privileges. Unlike vulnerability assessments, which should be repeated on a regular, if not continuous, basis, true penetration tests don’t need to happen as often; once a year is typically sufficient. The reports are also more concise, as they generally list only those systems that were actually compromised.

At Securance, we often conduct vulnerability assessments and penetration tests in tandem, using the results of our vulnerability assessment and feedback from our clients to define the scope of the penetration test. The penetration test is not a necessity. In certain cases, a vulnerability assessment is enough – particularly if critical systems, such as ICS, are involved, and duplicate instances in test or development environments are not available for testing. That said, where the risks are tolerable, or systems can be tested outside of production, a penetration test provides valuable insight into an organization’s vulnerabilities, the associated risks, and the order in which they should be remediated.