Penetration Testing vs Vulnerability Scanning
What’s better, one-off pen-testing, or regular vulnerability scanning?
Penetration tests have long been an essential part of many organisation’s strategy to protect themselves from cyber attack, and an excellent way to find flaws at a certain point in time. But the use of penetration testing alone can often leave such organisations defenceless for long periods of time.
Performing annual penetration tests as a primary defence against attackers gained popularity in years gone by, for good reasons, and is still common in the cyber security industry today. And while this strategy is certainly better than doing nothing, it does have a fairly critical drawback —what happens between tests?
For example, what happens when a critical new vulnerability is discovered in the Apache web server operating a sensitive customer portal during that long year between their annual pen tests. Or a security misconfiguration gets introduced by a junior developer. What if a network engineer temporarily opens up a port on a firewall exposing a database to the internet, and forgets to close it? Whose job is it to notice these issues which, if left unchecked, could result in a data breach or compromise?
Without continuous monitoring of issues such as these, would they be identified and fixed before attackers get a chance to take advantage?
Premises with a need for robust physical security often boast 24/7 automated solutions to deter attackers every day of the year. So why do some companies treat cyber security any differently? Especially when on average 20 new vulnerabilities get discovered every single day. We don’t think they should!
So hopefully you can start to see why sparsely scheduled pen testing alone is not enough. It really is the cyber equivalent of checking the locks of your high-security building’s premises once a year, but leaving it unmanned without bothering to check if it’s still secure until your next yearly once over. Sounds a bit crazy, right?
Scanning for security issues on a regular basis helps to complement manual testing, as it provides organisations a good level of ongoing security coverage between manual tests.
A lot of companies today are still using annual penetration testing as their single line of defence, but as understanding of how frequently weaknesses arise continues to mature, our view is that automated continuous monitoring solutions will become the first port of call for all companies, with manual penetration testing a powerful backup plan.
Thankfully, awareness is increasing of the need for a strategy which provides protection all year round, but we’ve still some way to go.
Perhaps it’s time to wake up and smell the continuous coverage!
Thanks to Chris Wallis