5 September 2023
Tom Wedgbury, Boglarka Ronto, Abheijeet Udas, Abartan Dhakal and Miguel Marques.
Written in conjunction with the CREST Penetration Testing Focus Group Sub-Committee, this article is the first in a series of posts that take a deep dive into the disciplines of Vulnerability Assessment and Penetration Testing.
Vulnerability Assessment and Penetration Testing are both important tools for organisations to gain assurance of security within their environment. Often these terms are used interchangeably, however they are not the same thing. It is critical that organisations understand that these tests provide different levels of assurance and that both have a place in an organisation’s security roadmap, but for different reasons.
In this article, we explore the differences between Vulnerability Assessment and Penetration Testing, irrespective of geographical or regional nomenclature differences. We hope that this will allow organisations make more informed decisions about which cyber security services are most suitable for their requirements.
Vulnerability Assessment (VA) involves the use of automated techniques to map, scan, and identify security vulnerabilities within an environment. This is used to determine how susceptible the environment is to known and published vulnerabilities to give an overall view of its security posture.
Automated tools such as vulnerability scanners are used to target internal or external networks, hosts, servers, applications, or wireless networks, amongst others. Often vulnerability assessments are conducted on a continuous and repeatable basis, e.g. daily, weekly, or monthly, to generate a report indicating risk exposure over time. Vulnerability scanners rely on using up-to-date plugins / datasets from the vendor for the identification of the latest vulnerabilities. The phases of a vulnerability assessment may vary depending on the delivering organisation and requirements. A typical engagement may look as follows:
1. Asset Discovery
2. Vulnerability Assessment
3. Result Analysis
4. Reporting (Presentation of Findings)
Penetration Testing involves a combination of automated and manual techniques to identify and exploit known and unknown vulnerabilities within an environment, in addition to weaknesses or gaps in policy controls. This is more rigorous and intrusive than a vulnerability assessment and involves human interaction against the target scope. Testing is typically performed less frequently than a Vulnerability Assessment, often on an ad hoc, release or regulation driven, or annual basis, and scope may be narrower.
A penetration test also considers context when attempting to find or exploit vulnerabilities. For example, during a penetration test, an open file share could be explored for files containing passwords, and these passwords used against the environment to gain additional access. Another example could be taking advantage of a weakness and using the access gained to exploit trust relationships that other systems might have with the compromised system.
There are many variations of penetration testing and systems that can be targeted. This includes but is not limited to Web Applications, External Infrastructure, Internal Infrastructure, Cloud, Mobile, and IoT. It may also extend to Physical Security or Social Engineering.
Although many CREST member companies adopt the CREST Defensible Penetration Testing (CDPT) standard, the testing methodology varies between vendors. A typical penetration testing engagement may be delivered as follows:
2. Vulnerability Analysis
4. Post Exploitation
5. Reporting (Business Impact Analysis)
You can find out more about what makes a good pentest in the latest CREST Pentest Panel Session in this short video.
It is also important not to confuse typical Penetration Testing with Red Teaming, also known as Intelligence Led Penetration Testing. Where Red Teaming differs is that it mimics a real-world threat actor, using realistic tactics and techniques based on threat intelligence. The aim is to achieve a specific objective, testing an organisation’s ability to prevent, detect, and most importantly respond to attacks, rather than identifying and exploiting all vulnerabilities within a given environment.
Key differences at a glance:
|Vulnerability Assessment||Penetration Testing|
|Focuses on identifying vulnerabilities||Focuses on exploiting vulnerabilities|
|Largely automated||Often a hybrid approach using automated tools complemented with manual testing|
|Conducted on a regular, repeatable basis||Often conducted annually or ad hoc basis|
|Wide scope||Narrow, focused scope|
|Provide a quantifiable outcome on the security posture of a given scope||Provide an understanding of how the identified vulnerabilities impact the organisation and scope|
In conclusion, Vulnerability Assessment and Penetration Testing are both crucial components of a comprehensive cybersecurity strategy. These types of assessments complement each other, but ultimately serve different purposes and are applicable to different aspects of a product lifecycle.
We hope that you have found this article useful and invite you to keep an eye out for part 2, where we will expand on this to consider outliers and regional differences in terminology you might encounter when procuring Vulnerability Assessment and Penetration Testing services.
Tom Wedgbury, Managing Senior Security Consultant at LRQA Nettitude.
Tom leads a team of pentesters at LRQA Nettitude, a CREST member company and award-winning global provider of cybersecurity services.
Prior to moving into cybersecurity Tom started his career as a software developer, creating software and hardware solutions for collecting and analysing telecommunications data. As a result, he now specialises in application security, delivering penetration testing, source code review, and S-SDLC training across the industry.
Boglarka Ronto, Cyber Practice Lead at Resillion.
In her early career as a UNIX administrator, Boglarka realised how poorly understood cyber security was. This sparked a lifelong passion for the security industry, initially as a mentor and lecturer to IT and OT professionals, and later as a security tester and business leader.
As a female in cyber she is an advocate for the role of diverse groups in cyber, especially supporting those with early interest striving to enter the industry. Boglarka continues to promote the Penetration Testing Discipline of CREST globally, and regularly presents to and liaises with cyber professionals and industry bodies.
She leads the Cyber Practice for Resillion, an organisation with a focus on delivering quality in engineering, testing and assurance services.
Abhijeet Udas, Executive Principal Consultant at NCC Group and CREST Fellow.
Abhijeet is an accomplished and driven IT Security Consultant with extensive expertise and experience across the globe in the field. He has consistently demonstrated his dedication to IT security and his ability to deliver high-quality solutions and outcomes for clients across different industries.
Abartan Dhakal, Lead Penetration Tester at StickmanCyber.
Miguel Marques, Offensive Security Team Leader at Quorum Cyber.