Vulnerability Scanning vs. Penetration Testing: 3 Things You Should Know

There are many views on what separates a vulnerability scan and assessment from a penetration test.  Below you will find the primary distinctions as they relate to cyber security services frequently provided in the DoD sector.

Vulnerability Scanning

Vulnerability scanning is designed to allow a cyber security analyst to create a prioritized list of vulnerabilities for a customer who is likely already aware that they are not where they need to be in terms of DoD information assurance and computer security.  The customer already understands that they have open vulnerabilities (perhaps on new computer systems, networks, etc.) and simply need assistance identifying and prioritizing them.

Also note that during initial vulnerability scans and assessments, the more potential vulnerabilities identified the better.

What you really need to know:

  1. Target customer:  Typically requested by customers who already know they have potential security problems, and need help getting their cyber security plan started.
  2. Focus:  Broad system wide or network wide evaluation on an unsecure system/network.
  3. Goal:  Attain a prioritized list of vulnerabilities and associated patches in the environment so that a remediation plan can be created and implemented.

Penetration Testing

Penetration testing is a process designed to simulate a cyber attacker who has a specific goal.  Penetrating testing, therefore, is often focused on a particular piece of software or network service.

These tests are conducted by a cyber security analyst for customers who are already compliant with the regulations for DoD cyber security and information assurance, but are concerned about vulnerabilities relating to a particular system or part of their network.  A typical goal could be to access a new network service like a customer-facing database.

The standard output for a penetration test is a report detailing how the cyber security analyst breached specific cyber security defenses during the simulated attack, and suggestions on how to remediate this vulnerability.

What you really need to know:

  1. Target customer:  A client who believes their cyber security defenses are strong, and wants to test this claim for a specific part of their system/network.
  2. Focus:  In depth and highly intensive on a secure system/network.
  3. Goal:  Determine whether a compliant cyber security posture can endure a cyber security attack from an advanced attacker with a specific target or objective.