It’s important to know where your vulnerabilities are; but that might not be enough.
The main objective of vulnerability scanning & penetration testing is to determine security weaknesses. These tests can also be used to demonstrate an organization’s security policy compliance, its employees’ security awareness, and the organization’s ability to identify and respond to security incidents.
Vulnerability scans provide information about what is theoretically vulnerable, not necessarily what is exposed. They are conducted using mostly automated tools and cannot be customized to the extent that penetration testing can. They also tend to identify large volumes of vulnerabilities, many of which are false positives and low risk vulnerabilities that are difficult to discern from high risk vulnerabilities. This is a good starting point for an organization that knows it has potential vulnerabilities but is not necessarily concerned with immediate attacks or regulation compliancy.
Penetration Testing /White Hat testing
Penetration testing allows organizations to proactively assess vulnerabilities using real-world exploits, allowing technicians to evaluate the potential for their systems to be compromised through hacking or malware, in the same manner that attackers employ. There are many different services, applications, and tools used during penetration testing that are highly customizable. They are capable of simulating attacks on all of the various environments, equipment, and their configurations within your organization.
How do they differ?
A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications. Penetration testing should occur from both outside the network trying to come in (external testing) and from inside the network as well.
Vulnerability Scanning is the best starting point for clients whom have less specific security concerns regarding network & cloud based resources. Critical resources are identified by the client and vulnerability assessments are done against these resources, with or without the knowledge of existing IT Support personnel. Some resources can easily become overwhelmed by the vulnerability scanning tools and may suffer in performance or even begin to lose functionality. It is important that these resources are identified by the client and that these risks have been mitigated in the form of Vulnerability scanning during offline hours, or with the knowledge & consent that a production resource could become compromised.