Our slogan, Ready for more than a VA?®, was developed to bring to light the common misunderstanding between a VA scan and a pentest. The two phrases are often used interchangeably or together. We’ve lost track of the number of references we’ve seen of a VAPT (Vulnerability Assessment Penetration Test) outlined by customer requests, RFPs, and service offerings; however, it is critical to understand that there is a massive difference between the two.
In short, a vulnerability scan is a task in a penetration test that’s purpose is to identify vulnerabilities residing in infrastructure systems, and third-party software packages. A penetration test takes this several steps forward and attempts to exploit any/all findings discovered to account for risk more accurately.
What is the purpose of a VA scan?
A vulnerability scan is an automated technology that’s purpose is to identify vulnerabilities residing in operating systems, and third-party software packages using a predefined list of known vulnerabilities. VA scans leverage a knowledge-base of known vulnerabilities including those from missing security patches, insecure configuration, potential malware, weak passwords, and more. Commercial offerings include Qualys, Nessus, Nexpose and more.
The quality of these scanners is based on the depth of their knowledge base and the accuracy of the results (i.e., low false positives and false negatives). Opensource scanners make their best effort, however, without financial backing, they often fall short offering mixed results. Vulnerability scanners must be comprehensive, rapidly updated, consistent, and accurate to ensure their reports are valuable.
What is the purpose of a pentest?
A penetration test is a specialized simulation where a qualified consultant follows a methodology to actively attempt to compromise an environment. Often, this involves multiple stages including Recon, Discovery, Exploitation, and Reporting in an iterative process. The purpose of a penetration test is to first discover any/all vulnerabilities residing in target systems and finally, measure the likelihood of a compromise by attempting to exploit discovered vulnerabilities to understand the potential impact and the likelihood of an occurrence.
While a VA scan relies on automation, a penetration test leverages both manual and automated testing techniques to assess your risk level to various threats. The more effort allocated in a test, the more sophisticated the attacker being simulated. A vulnerability scan can be overwhelming in the volume of data produced, and the objective of a pentest is to reduce the noise and focus on critical findings that require remediation and are exposed through any weakness in your defence.
Do we need both?
The short answer is: yes. Vulnerability Scans are best scheduled regularly, depending on the size of your organization. Larger organizations benefit from weekly scans, to keep a closer eye on the state of their environment, and on mobile workforces. Medium-sized organizations (>500 employees) often require monthly scans to stay on top of new vulnerabilities and manage to verify their patching process is performing correctly. For smaller organizations, quarterly is the minimum interval for scanning.
Penetration Testing, on the other hand, is best scheduled on an annual basis, or after any significant changes. In larger organizations, it is best practice to test your external perimeter or applications more frequently to reduce exposure of any exposed services, new features introduced, or significant code changes/platform upgrades.
What is a significant change? A significant change is a datacentre migration, an OS upgrade, a change in exposure or service offerings (e.g., new eCommerce website). For applications – we recommend a full test after a major release assuming minor releases are tested with automation / source-code scans as part of your secure development lifecycle (SDLC).
Ready for more than a VA scan?®
In summary, a vulnerability scan is not enough. Although VA scans are valuable tools to help stay on top of the security of your environment regularly, it should be understood that they come with limitations. Vulnerability scans are not effective at testing web applications because they often make use of custom code, which is why more in-depth testing is required. Conversely, a penetration test takes a vulnerability scan much further and explores your environment from an attacker’s perspective. It separates the noise and outlines the most critical findings that require remediation and explains why.
A penetration test is not the same as a vulnerability scan and requires a qualified resource to perform testing. In contrast, a vulnerability scan can be performed by a resource with limited experience. If you have any questions regarding choosing a penetration testing company, selecting a vulnerability scanner, or would like to learn more about how we can help, please contact us.