The difference that exists between vulnerability assessments and penetration testing
There are many opinions on the definitions of vulnerability assessments and penetration testing. Despite these differing opinions, many hold two dominating opinions in particular. On one side, some people believe that penetration testing identifies as many vulnerabilities as can be found. Others believe that penetration testing accomplishes a specific goal, ignoring existing vulnerabilities.
Among these two differing opinions on the definition of penetration testing, the one that makes the most sense is the second opinion mentioned above. Here are the reasons why:
The wording used
The term ‘vulnerability assessment’ describes the process of identifying vulnerabilities in a system. For this reason, it is not necessary to give the term ‘penetration testing’ the same definition. If they did mean the same thing, then it would only be necessary to use one term. However, there is a difference, and it is beneficial to learn it.
The crucial difference
A vulnerability assessment generates a list of vulnerabilities for clients aware that they have a security issue. Once these clients know where they are vulnerable, they can take action to eliminate these vulnerabilities. As vulnerability assessments focus on vulnerability detection, it is best to compile an extensive list.
A penetration test aims to simulate an attack on a security system. However, this attack has a specific objective. For example, a company can perform a simulated attack where they try to access the customer database. Alternatively, they may perform another attack to modify a document in the financial database. In the end, the entity performing the penetration test remits a report detailing the system breach and how to repair the breach.
A real-world example
Imagine a Tiger Team that is cooperating with the government on a mission. For example, Richard Marcinko used to do things like attempting to take control of a nuclear submarine.
After Richard completes a mission involving him breaking into the east fence to steal a nuclear submarine, he participates in a debriefing session. During this session, the government officials responsible for hiring him question him about the security of the west fence.
Richard would explain that his job did not involve checking the west fence’s security but breaking in and controlling the nuclear submarine. He would explain how he could have broken in millions of ways, but the east fence was the way he chose.
Finally, he would explain how a full audit of the security of the government building housing the submarine does not fit into his job of breaking into the building to steal the submarine. He would also advise the government to hire a company to perform an audit to discover all the building vulnerabilities.
Is a penetration test only vulnerability exploitation?
Some people believe that penetration testing is only exploiting vulnerabilities. However, this is not always the case. There are cases where a penetration test can occur without the penetrating entity completing all of the steps that a criminal would. For example, a penetration tester can show that they gained access to a safe by only taking photos. They can also show that they have access to a database by providing evidence.
There are also instances where a vulnerability assessment can include some elements of exploitation. For example, to show a client the steps needed to exploit a vulnerability.
Do penetration tests also include vulnerability tests?
It is easy to think that full-scale vulnerability tests are necessary to perform penetration tests. One can reason that a penetration tester needs to identify all the vulnerabilities in a security system to achieve an objective. However, this is not necessary because the only vulnerabilities that need exploitation are those aiding in accomplishing the penetration attack.
Remembering that a vulnerability test creates a list of vulnerabilities in a security system, logically, a penetration test does not qualify as such.
Review
A vulnerability assessment aims to create a list of vulnerabilities that a company can use to assess their security level. In contrast, a penetration test aims to execute a specific attack successfully. Knowing the difference between these two can prevent confusion.
