Vulnerability scanning and pen testing are similar but not the same. Vulnerability scanning leverages automated tools to look for well-known and well-defined vulnerabilities. Penetration testing on the other hand, leverages manual techniques to find flaws in configurations, business logic, and settings in addition to vulnerabilities.
What is vulnerability scanning?
Vulnerability scanning is the act of testing systems and applications for known vulnerabilities via an automated process. This is done using a known registry of vulnerabilities that checks the version of software and services against a database. Once a vulnerability is determined, it is given a score using CVSS (add a link?).
Vulnerability scanning process
The vulnerability scanning process is similar to that of pen testing. It starts with client authorization of the scan and a client provided scope. It can also be done internally to an organization as well.
Once the scope is determined, it needs to be scheduled as either a one time scan or regular process. Then credentials can be added.
It is recommended to perform credentialed scanning in some manner, as it finds all software versions, as opposed to what is available from just enumeration. Whether this is done by an external party or the internal team is to be determined by the company security team.
Then once the scan runs, it is important to review the results. It is recommended to fix vulnerabilities in order of severity, with the most important to be scheduled as soon as possible.
What is penetration testing?
Pen testing is the simulation of a cyber attack against an organization by an authorized party to discover weaknesses before the hackers do. It relies heavily on manual testing to look for misconfigurations and take advantage of particular situations.
Penetration testing process
The pen testing process starts with client authorization and a determination of the scope. Once this is done, it begins with discovery and enumeration, which can involve a vulnerability scan. Then the tester validates findings and begins to exploit in order to escalate privileges. The goal is to eventually take over every system, often by becoming the Domain Admin or in the case of Applications to be able to read all the data and write arbitrary code.
While this does not occur every test, it is the goal to pivot to create a narrative to explain what a real-world hacker would do.
Key Differences between pen testing and vulnerability scanning
The key difference between vulnerability scanning and pen testing is the amount of manual work involved. While pen testing tools can be automated, they require more input to properly be used. This can include multiple inputs based on additional details found in the enumeration.
Beyond that, a pen test often leverages a vulnerability scan as the start of a test rather than that being the end.
It is important to understand that in a full cybersecurity program that a company will have BOTH regular vulnerability scanning and pen-testing. One does not replace the other.