pen-test-vs-pen-testThere has been a lot of chatter and questions about penetration tests vs vulnerability scans lately, so I wanted to give some guidance on how to make a distinction.

A Vulnerability Scan?

Vulnerability scans look for known vulnerabilities in your systems and report on them.

I like to use a door lock analogy here. Let’s say you bought a Schlage door lock from Home Depot. A month later, you get a notification that your lock doesn’t quite lock correctly. If a burglar were to tap on the lock 10 times, the lock would just open. Schlage released a bulletin about this and called it the 10-tap vulnerability.

The Schlage lock company issued a part replacement that you could install in the lock to make sure that the 10-tap vulnerability no longer is present.

If a home inspector were running an analysis of your house, they might look to check that (1) you have the Schlage lock model that has the vulnerability or (2) check that the fix to the 10-tap vulnerability was in place. He or she would give you a report that your lock is or is not susceptible to the 10-tap flaw.

That home inspector in essence was performing a vulnerability assessment—looking for weaknesses in your home. If he found that the 10-tap vulnerability was there, he would let you know that it was an issue.

When your team performs a vulnerability assessment or scan of a network, they are looking for vulnerabilities present on the network. These are known problems—maybe patches, configurations, or permissions levels, for instance, that may be cause for concern. Your report is alerting someone to potential problems on their network and are reporting out on those concerns. That’s as far as you’re going here.

A penetration test goes a bit further.

Penetration tests are used to exploit weaknesses in the system. These tests would exploit the vulnerabilities to show consequence of not taking action.

Going back to the door lock analogy, if the home inspector actually tapped the lock 10 times to try to gain entry, they’d attempt to exploit the 10-tap vulnerability.