Many information security professionals are familiar with the terms "'vulnerability assessment" and "penetration testing" ("pentest" for short). Unfortunately, in many cases, these two terms are incorrectly used interchangeably. This post aims to clarify differences between vulnerability assessment and penetration testing, demonstrate that both are integral components of a well-rounded vulnerability management program, and discuss when and where each is more appropriate.
A vulnerability assessment is the process of finding and measuring the severity of vulnerabilities in a system. Vulnerability assessments yield lists of vulnerabilities, often prioritized by severity and/or business criticality.
Vulnerability assessments typically involve the use of automated testing tools such as web and network security scanners, whose results are typically assessed, and escalated to development and operations teams. In other words, vulnerability assessments involve an in-depth evaluation of a security posture designed to uncover weaknesses and recommending appropriate remediation or mitigation to remove or reduce risk.
In contrast, penetration testing is typically a goal oriented exercise. A pentest has less to do with uncovering vulnerabilities and is rather more focused on simulating a real-life attack, testing defenses, and mapping-out paths a real attacker could take to fulfill a real-world goal. In other words, a penetration test is usually about how an attacker is able to breach defenses and less about specific vulnerabilities.
Penetration testing, like vulnerability assessment, also typically involves the use of automated vulnerability scanners and other manual pentest tools to find vulnerabilities in web applications and network infrastructure. While it may be more common in pentesting to chain and exploit vulnerabilities in order to accomplish the pentest's goal, this can also be a characteristic of vulnerability assessment. Conversely, not all pentests include elements exploitation - in some cases, demonstrating an attack may be enough.
To such an extent, the fundamental difference between vulnerability assessment and penetration testing is the former being list-oriented and the latter being goal-oriented.
So given that vulnerability assessment and penetration testing typically leverage many of the same tools and techniques, which methodology should you opt for, when, and why?
Since penetration testing tests security defenses across a path towards a goal, it is generally more useful when the target's security maturity level is high - that is, when the target's security defenses are believed to be strong. Penetration testing is an effective methodology of testing assertions about systems' defenses with specific goals in mind. This means that penetration testing is most suitable in situations where depth over breadth is preferred.
Vulnerability assessment, on the other hand, is especially well suited in situations where there are known security issues, or when an organization which is not as security mature would like to get started. Alternatively, vulnerability assessment is an ideal methodology for organizations who have a medium-to-high security maturity and would like to maintain their security posture through continuous vulnerability assessment - especially effective when automated security testing is leveraged. Vulnerability assessments are, therefore, an approach which focuses on providing organizations with a list of vulnerabilities that need to be fixed, without evaluating specific attack goals or scenarios. This makes vulnerability assessment most suitable for situations where breadth over depth is preferred.