Penetration Testing vs Vulnerability Scanning
What is the main difference between vulnerability scanning and penetration testing?
People frequently confuse penetration testing and vulnerability scanning, and it is understandable why. Both services are responsible for revealing weaknesses in your IT infrastructure by examining your systems in a manner similar to how an actual hacker would. However, there is a very important distinction between the two. So what exactly is it?
Penetration testing is a manual security assessment whereby a cyber security professional attempts to find a way to break into your systems. It is an in-depth test which evaluates security controls across a variety of systems, including web application, network and cloud environments. This kind of testing could take several weeks to complete, and due to its complexity and cost, is commonly carried out only on an annual basis.
Vulnerability scanning, on the other hand, is automated and performed by tools which can be either installed directly on your network or accessed online. Vulnerability scanners run thousands of security checks against your systems, producing a list of vulnerabilities with corresponding remediation advice. That being the case, it is possible to run continuous security checks even without having a full-time cyber security expert on the team.
What’s better, one-off pen-testing, or regular vulnerability scanning?
Penetration tests have long been an essential part of many organisation’s strategy to protect themselves from cyber attack, and an excellent way to find flaws at a certain point in time. But the use of penetration testing alone can often leave such organisations defenceless for long periods of time.
Performing annual penetration tests as a primary defence against attackers gained popularity in years gone by, for good reasons, and is still common in the cyber security industry today. And while this strategy is certainly better than doing nothing, it does have a fairly critical drawback —what happens between tests?
For example, what happens when a critical new vulnerability is discovered in the Apache web server operating a sensitive customer portal during that long year between their annual pen tests. Or a security misconfiguration gets introduced by a junior developer. What if a network engineer temporarily opens up a port on a firewall exposing a database to the internet, and forgets to close it? Whose job is it to notice these issues which, if left unchecked, could result in a data breach or compromise?
Without continuous monitoring of issues such as these, would they be identified and fixed before attackers get a chance to take advantage?
Premises with a need for robust physical security often boast 24/7 automated solutions to deter attackers every day of the year. So why do some companies treat cyber security any differently? Especially when on average 20 new vulnerabilities get discovered every single day. We don’t think they should!
So hopefully you can start to see why sparsely scheduled pen testing alone is not enough. It really is the cyber equivalent of checking the locks of your high-security building’s premises once a year, but leaving it unmanned without bothering to check if it’s still secure until your next yearly once over. Sounds a bit crazy, right?
Scanning for security issues on a regular basis helps to complement manual testing, as it provides organisations a good level of ongoing security coverage between manual tests.
A lot of companies today are still using annual penetration testing as their single line of defence, but as understanding of how frequently weaknesses arise continues to mature, our view is that automated vulnerability scanning solutions will become the first port of call for all companies, with manual penetration testing a powerful backup plan.
Thankfully, awareness is increasing of the need for a strategy which provides protection all year round, but we’ve still some way to go.
Perhaps it’s time to wake up and smell the continuous coverage!
Thanks to Chris Wallis
Intruder offers both penetration testing and vulnerability scanning services. Intruder’s continuous vulnerability scanning service helps you keep on top of the latest vulnerabilities and alerts you to emerging threats which affect your most-exposed systems. Get started with a free trial today.
This article was originally published in January 2018, and updated in January 2021.