You Say Tomato, I Say Pen Test

One of the classic debates in information security circles is the difference between a vulnerability assessment and a penetration test. To add to the confusion, vendors will often create their own definitions, conflate terminology, or make the material difficult to understand by using obscure technical jargon that leaves clients bewildered. But does it really matter?

There’s an old adage that if you don’t know where you’re going, any road will take you there. In the same way, performing the correct service for a client’s security goals is critical to achieving a positive outcome. Although many clients have heard that they need a “pen test,” usually an initial vulnerability assessment is the best place to start.

To illustrate the issue further, let’s start off with some of the definitions we use at PLEX, followed by a few examples of how these concepts work:

A vulnerability scan uses a variety of commercial or open-source (i.e., free) tools, called vulnerability scanners, to “scan” a target system for known vulnerabilities that could potentially impact the target’s web application or network environment.

A vulnerability assessment is a formatted report that outlines the results of the vulnerability scan to the client by vulnerability type and severity. Vulnerability assessments frequently use the Common Vulnerability Scoring System (CVSS), a widely-accepted industry standard, to calculate the severity of vulnerabilities found in a scan.

A penetration test, or “pen test,” is the deliberate exploitation of identified vulnerabilities and subsequent penetration of the vulnerable systems that possess them.

The main difference between the two service offerings is that pen tests typically include exploitation of discovered vulnerabilities. This difference offers at least three additional benefits over vulnerability assessments:

  1. Proof that the client’s systems are actually vulnerable to issues that vulnerability scanning / testing have identified
  2. A test of the client’s ability to detect / respond to a “friendly” attack
  3. Vulnerability “impact” insights that help clients understand the importance of fixing systems that might otherwise be considered unimportant and remain unpatched

Conclusion Despite the additional benefits of a pen test, most small and mid-tier organizations, who don’t have fully developed security programs or network defenders, will most typically want to establish an initial security baseline through a vulnerability assessment, not a pen test. Navigating these subtleties and recommending the right kind of security testing is one of the ways that PLEX creates tailored engagements that helps our clients achieve their cybersecurity goals.

By Val Vask, Senior Penetration Tester at Solutions at PLEX