Vulnerability Assessment & Penetration Test

“There are many views on what constitutes a Vulnerability Assessment versus a Penetration Test. The main distinction, however, seems to be that some believe a thorough Penetration Test involves identifying as many vulnerabilities as possible, while others feel that Penetration Tests are goal-oriented and are mostly unconcerned with what other vulnerabilities may exist.”

– Daniel Miessler, Cybersecurity expert & Author

Besides the clarity on VAPT, many still believe that their applications and other IT assets are safe and do not need any additional tests & validation, in order to be secure. Currently, most of the world is under lockdown due to the threat posed by the coronavirus. While this has come as an opportunity for us to test our business continuity plans. However, this has also exposed how vulnerable our assets are against unknown threats.

No organization can afford to lower its guard against the threats that are increasing every day. A crisis is an opportunity for both the protectors and the exploiters. The protectors need to be one step ahead of the exploiters. Hence, understanding the fundamental difference between VA & PT is as important as getting all the IT assets tested for the same.

VA & PT – Definitions

Vulnerability Assessments are performed to find out a list of vulnerabilities. Application developers would only be testing their applications against the user requirements and how they perform under stress. Ideally assessing the applications for vulnerabilities is done by third parties to bring in objectivity in the process.

The more issues identified the better, so naturally, a white box approach should be taken if possible. The deliverable for the assessment is, usually a list of discovered vulnerabilities and how to remediate them. Once the vulnerabilities are identified, the customers can prioritize the issues and plan for closure.

On the other hand, Penetration Tests are designed to achieve a specific, attacker-simulated objective. A typical objective could be to access and/or modify the contents of an application of the customer on their internal network.

The deliverable for a penetration test is a report of how security was breached in order to reach the agreed-upon objective (and how to remediate).

Vulnerability Assessment Vs. Penetration Test

A mistake people usually make when discussing vulnerability assessments vs. penetration tests is to identify this with exploitation. It is usually assumed that finding vulnerabilities is a vulnerability assessment, and exploiting them is a penetration test.

However, that is incorrect.

Vulnerabilities are essentially weak points in software code that could sneak in during an update or when creating the base of the software code. Vulnerabilities can also be created when configuring privacy settings, software, hardware, social media, and email accounts. This means that certain behaviors of people could easily create opportunities for hackers and could, therefore, be considered as vulnerabilities.

Vulnerabilities are open doors that hackers could use to access a target system. The hackers depend on oversights and mistakes, such as unpatched servers and out-of-date software, to achieve their goals.

Penetration testing in simple terms is a simulation of a process a hacker would use to launch an attack on a business network, attached devices, network applications, or a business website. The purpose of the simulation is to identify security issues before hackers can locate them and perform an exploit. Hence, Penetration testing is also known as ethical hacking.

Simply put, it is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

A penetration test can also highlight weaknesses in a company’s security policies. For instance, although a security policy focuses on preventing and detecting an attack on an enterprise’s systems, that policy may not include a process to expel a hacker.

The myth that Penetration Tests include Vulnerability Assessments

It’s not correct to say that penetration tests always include a vulnerability assessment. Penetration tests are goal-based. As long as one breaches the security and reaches the network the goal is achieved.

It is accurate to say, in other words, that penetration tests rely on finding one or more vulnerabilities to take advantage of, and that people often use some sort of process to systematically discover vulnerabilities for that purpose. But because they stop when they have what they need, and don’t give the customer a complete and prioritized list of vulnerabilities, they didn’t actually do a vulnerability assessment.

Summary

In summary, the goal of Vulnerability Assessment is to attain a prioritized list of vulnerabilities in the environment so that remediation can occur.

Here the Focus will be ‘breadth over depth’.

On the contrary, the goal of the Penetration Test is to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.

Here, the Focus will be ‘depth over breadth’.