Penetration Test vs. Vulnerability Assessment
What I learned in the Sea Services (Marines) is that a ship can carry a boat but a boat can not carry a ship. So I ask you, are you getting a Penetration Test or a Vulnerability Assessment? I say this because there are huge differences. A vulnerability test is part of a penetration but a penetration test is made up of a number of different steps and tests.
Well, just what are the differences?
- A Penetration Test is a Five Step Process. These steps include a Reconnaissance Phase, an Enumeration and Vulnerability Assessment Phase, an Exploitation Phase, a Privilege Elevation Phase and a Covering your Tracks Phase.
- A Vulnerability Assessment is really only one phase of the Penetration Test, although you could make an argument that a reconnaissance could be that you give the tester your IP Addresses.
- A Penetration Test is a manual process that uses command line tools and some automated tools.
- A Vulnerability Assessment usually involves an automated tester.
- A Penetration Test should be performed by a security credentialed individual.
- A Vulnerability Assessment can be performed by anyone.
- A Penetration Test verifies that the vulnerability actually exists and proves that the systems can be exploited.
- A Vulnerability Scan provides information that a exploit could exist.
I could go on and on but the reality is that there is a huge difference and the fact is that we lose quite a bit of business to many people who provide shoddy work and automated testing services to clients by saying that they are providing a penetration test. Bottom line is a penetration test relies on human ingenuity and interpretation.
Unfortunately many clients may not understand the differences and may not realize that they are getting subpar work.
So my advice is Caveat Emptor or Let the Buyer Beware, if you would like more information email me at firstname.lastname@example.org or give us a call at 884-9PENTEST (844-973-6837).