Vulnerability scanner vs penetration test

The first one and the second are said to be the best allies of CISO (and in general people in charge of IT security). There are though two different tools in a security strategy. What are the different characteristics of a penetration test (pentest) and a vulnerability scanner?

Let’s start with the vulnerability scanner

It is a software that is programmed to run tests on your platform, on your information system – … to detect vulnerabilities. A scanner identifies vulnerabilities thanks to its database containing the known vulnerabilities and common security issues. They go through networks, services, applications, etc.

First characteristic, the tests are automated. This means they are fast and a whole system can be easily tested in some hours / days, depending on its size.

Secondly, a vulnerability scan can be scheduled at precise hours, for example outside working time or when it is more convenient for your organisation. You can then plan regular scans and have therefore an (almost) continuous monitoring.

A third characteristic is the database, which is the core element of the scanners. The database is updated daily with the newest disclosed vulnerabilities. It is a good advantage to remediate rapidly to the latest threats discovered, compared to a penetration test usually performed once or twice a year.

Finally, a scanner has a lower cost, compared to a penetration test. However, this seemingly lower cost is counterbalanced by the time spent by the technical teams to read and confirm what was found by the vulnerability scan. Regularly, false positives are included in the report compiled at the end of the scan.

Last, but not least, scanners only test vulnerabilities they have in their database. They are not detecting unclassified vulnerabilities or logic flaws specific to your situation.

Let’s now look at the characteristics of a penetration test

A penetration test is run by a pentester, a cyber security specialist, who discovers and exploits vulnerabilities as would real attackers do.

First characteristic, the vulnerabilities found are exploited: it enables to see the potential impact of an attack. Some vulnerabilities are combined to go further in the attacks. Pentesters use the current practices of malicious hackers, the same methods and tools. The attacks are realistic.

On a second point, pentesters use automatic tools from the market but also their own tools and scripts they developed. They do a precise use of them and are able to set them for specific needs depending on the situation. Indeed, as it is humans running tests, they can analyse your context to see the priorities to test and secure. They target the elements that are most important for your business.

A third characteristic of penetration testing is that it detects logic flaws, which are not strictly speaking technical problems. In a nutshell, a logic flaw is when a logic process or a workflow can be avoided or circumvented. Human are capable of finding alternative ways in order to misuse applications, services, as they understand the context of use. Therefore, they are able to test the workflow or how the input of users could be misused, which an automatic scanner cannot.

Finally, once a penetration test is done, a detailed technical report with the flaws and attacks conducted is given. It also includes practical remediation suggestions that can be directly applied. The seemingly higher initial cost of a pentest is offset by the time saved by the technical teams. A penetration test is a turnkey solution.

In summary, choosing between a penetration test and a vulnerability scanner depends on your context: security measures already taken or in place, specific risks, budget envelope, etc. They answer different needs and different situations. If you have to choose between the two, take some time to think about each solution, and contact providers of each service to discuss your specific context.