As a security company we get asked these questions a lot of times and surprisingly we see the number of businesses that actually think these two are just the same but here are the main reasons why you need to know the difference between the two.
Please note the below are drawn from industry best standards E.g. PCI-DSS.
Objective: The process includes to identify, rank and report the list of vulnerabilities or potential vulnerabilities that, if exploited, may result in a compromise of your system.
Plan the scan: It is recommended your business should conduct scans quarterly or after any significant changes have been made to your system. (Ref: PCI_DSS Requirement 11.3)
Duration: Vulnerability scans take a short period of time; typically scanning can be completed within a day, of course this may differ based on size of project but it’s much shorter when compared to a penetration test.
Functionality: A vulnerability scan is an automated scan which produces a report which is then analysed in third party vendors like Ward. An external and internal vulnerability scan is conducted by Ward Solutions.
Reports: The vulnerabilities are typically ranked in accordance with the common vulnerability scoring system which is what we mainly use and another ranking tool that’s used for these kinds of scans is the national vulnerability database.
Now let’s look at the penetration test:
To discover and exploit exposures that exist on the network which is internal or external in order to gain access to sensitive information or resources. In addition, a detailed report is provided in order to provide prioritisation and remediation advice so that necessary mitigations can be actioned.
Plan the scan:
It is recommended that a pen test needs to be conducted annually or after any significant changes made to the system. (Ref: PCI_DSS Requirement 11.3)
Penetration testing takes more time and differs depending on the nature of the testing (e.g. web application or infrastructure), the size, and the complexity of the environment. Before the implementation of this type of testing, all projects should be scoped in detail to understand the estimate of effort required.
This process involves manual testing by one of our in-house pen testers which include reconnaissance, discovery and exploitation phases. The output delivers a comprehensive report.
The comprehensive report consists of three sections:
- An executive summary.
- A detailed table of findings from the penetration test.
- An information gathered section which describes the results of all the testing carried out both positive and negative.
Now the only piece of advice we can give before you conduct a scan or a test is that you develop a plan in place. Discuss the reasons why you need and what you want to achieve from this and involve the key decision makers in your organisation. Once you know what you really want to achieve from testing, set expectations and decide which are the areas of risk you need to focus on. Involving a third party is not going to disrupt your plan, it only helps you with a clearer perspective from all sides so that you are not left with a gap that might have been missed if it’s done internally.
Ward advises to make sure when you receive proposals from third parties you understand the above differences before you select which option is correct for your organisation and so which one you want to go ahead with.
If you want to speak to one of our experts to proceed with this discussion: