Penetration testing

Penetration Testing vs Vulnerability Scanning

Daniel Andrew
Daniel Andrew
Head of Security

Key Points

People frequently confuse penetration testing and vulnerability scanning, and it is understandable why. Both services are responsible for revealing weaknesses in your IT infrastructure by examining your systems in a manner similar to how an actual hacker would. However, there is a very important distinction between the two. So what exactly is the difference between penetration testing vs vulnerability scanning?

The main difference between penetration testing vs vulnerability scanning

Penetration testing is a manual security assessment whereby a cyber security professional attempts to find a way to break into your systems. It is an in-depth test which evaluates security controls across a variety of systems, including web application penetration testing, network and cloud environments. This kind of testing could take several weeks to complete, and due to its complexity and cost, is commonly carried out only on an annual basis.

Vulnerability scanning, on the other hand, is automated and performed by tools which can be either installed directly on your network or accessed online (sometimes referred to as automated pen testing). Vulnerability scanners run thousands of security checks against your systems, producing a list of vulnerabilities with corresponding remediation advice. That being the case, it is possible to run continuous security checks even without having a full-time cyber security expert on the team.

What’s better, one-off pen-testing, or regular vulnerability scanning?

Penetration tests have long been an essential part of many organizations' strategies to protect themselves from cyber attacks, and an excellent way to find flaws at a certain point in time. But the use of penetration testing alone can often leave such organizations defenseless for long periods of time.

Performing annual penetration tests as a primary defense against attackers gained popularity in years gone by, for good reasons, and is still common in the cyber security industry today. And while this strategy is certainly better than doing nothing, it does have a fairly critical drawback —what happens between tests?

Let's get these set up to check our premises... once a year?

For example, what happens when a critical new vulnerability is discovered in the Apache web server operating a sensitive customer portal during that long year between their annual pen tests. Or a security misconfiguration gets introduced by a junior developer. What if a network engineer temporarily opens up a port on a firewall exposing a database to the internet, and forgets to close it? Whose job is it to notice these issues which, if left unchecked, could result in a data breach or compromise?

Without continuous monitoring of issues such as these, would they be identified and fixed before attackers get a chance to take advantage?

Premises with a need for robust physical security often boast 24/7 automated solutions to deter attackers every day of the year. So why do some companies treat cyber security any differently? Especially when on average 68 new vulnerabilities get discovered every single day. We don’t think they should!

So hopefully you can start to see why sparsely scheduled pen testing alone is not enough. It really is the cyber equivalent of checking the locks of your high-security building’s premises once a year, but leaving it unmanned without bothering to check if it’s still secure until your next yearly once over. Sounds a bit crazy, right?

Who is checking that no-one’s left the door unlocked?

Scanning for security issues on a regular basis helps to complement manual testing, as it provides organizations with a good level of ongoing security coverage between manual tests.

A lot of companies today are still using annual penetration testing as their single line of defense, but as understanding of how frequently weaknesses arise continues to mature, our view is that automated vulnerability scanning solutions will become the first port of call for all companies, with manual penetration testing a powerful backup plan.

Thankfully, awareness is increasing of the need for a strategy which provides protection all year round, but we’ve still some way to go.

Perhaps it’s time to wake up and smell the continuous coverage!

Intruder offers both penetration testing and vulnerability scanning services. Intruder’s continuous vulnerability scanning helps you keep on top of the latest vulnerabilities and alerts you to emerging threats which affect your most-exposed systems. Get started with a free trial today.

Thanks to Chris Wallis

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial