Vulnerability scanning and penetration tests are relatively common among larger IT organizations, and they are becoming more common in smaller shops. In some organizations, these terms are used interchangeably to identify processes meant to root out weaknesses in applications and infrastructure, but is that right? What is the difference between a vulnerability scan and a penetration test, and how do these differences impact the goal of discovering exploitable weaknesses in an enterprise?
Vulnerability scans tend to use automated tools, with some manual support, to identify known weaknesses in a target enterprise. These scans can be a perfunctory as a port scan, or a scan for PCI compliance or the OWASP top ten vulnerabilities. The market is full of good tools that meet any need and an adequately scoped vulnerability scan can reveal a lot about an environment, including unapplied patches, vulnerable software versions, common weaknesses in applications and gaps in network controls like firewalls. What a vulnerability scan cannot do, is exploit those weaknesses to prove their severity or determine the extent the control environment's potential for compromise. A vulnerability scan also cannot often identify when other controls in an environment might mitigate vulnerability and render it useless as an exploit.
A penetration test can use a vulnerability scan. In fact, reconnaissance is part of any attack against an enterprise. Penetration tests usually involve manual effort, though a very basic penetration test can be performed by an assortment of tools that seek to exploit the very most basic vulnerabilities and deliver a payload. These are good for identifying issues in less secure or less mature environments that lack good detective controls or have a poor understanding of how their environment is constructed. More mature environments with the resources and technology to provide multiple layers of protection may be able to detect and mitigate these simpler penetration tests. A good, manual penetration test, with skilled practitioners, can reveal the less apparent holes in a controlled environment, the sort that results in significant compromises in the real world.
When performing a penetration test or engaging a third party to perform a penetration test, it is important to make sure not to scope the engagement incorrectly. Often, out of concern for availability or reliability of production systems a penetration test will be scoped to something more akin to a vulnerability scan. While there is some risk that a penetration test can cause availability issues with production systems, this is rare with skilled pen-testers. By limiting the scope of a penetration test to carve out the most important or vulnerable systems, or limiting vectors of attack, organizations do themselves a disservice.