The first one and the second are said to be the best allies of CISO (and in general people in charge of IT security). There are though two different tools in a security strategy. What are the different characteristics of each?
Let’s start with the vulnerability scanner.
It is a software that is programmed to run tests on your platform, on your information system – … to detect vulnerabilities. A scanner identifies vulnerabilities thanks to its database containing the known vulnerabilities and common security issues. They go through networks, services, applications, etc.
First characteristic, the tests are automated. This means they are fast and a whole system can be easily tested in some hours / days, depending on its size.
Secondly, it can be scheduled at precise hours, for example outside working time or when it is more convenient for your organisation.
You can then plan scanners regularly and have therefore an (almost) continuous monitoring.
A third characteristic is the database, which is the core element of the scanners. The database is updated daily with the newest disclosed vulnerabilities. It is a good advantage to remediate rapidly to the latest threats discovered, compared to a penetration test conducted in general annually or bi-annually.
Finally, a scanner has a low cost, compared to a penetration test. However, this low cost at first is counterbalanced by the time spent by technical teams reading and confirming what was found by the vulnerability scan. Regularly, false positives are included in the report compiled at the end of the scan.
Last, but not least, scanners only test vulnerabilities they have in their database. They are not detecting unclassified vulnerabilities or logic flaws specific to your situation.
Let’s have a look now at a penetration test.
A pen test is run by penetration tester, a cyber security specialist, who discovers and exploits vulnerabilities as would real attackers do.
First characteristic, the vulnerabilities found are exploited: it enables to see the potential impact of an attack. Some vulnerabilities are combined to go further in the attacks.
Pentesters use real practices of malicious hackers, the same methods and tools. The attacks are realistic.
On a second point, pentesters are using automatic tools from the market but also their own tools and scripts they developed. They do a precise use of them and are able to set them for specific needs depending on the situation.
Indeed, as it is humans running tests, they can analyse your context to see the priorities to test and secure. They target then the elements that are more important for your business.
A third characteristic of penetration testing is that it detects logic flaws. Logic flaws are not proper technical problems as this article explains (and gives examples).In a nutshell, a logic flaw is when a logic process or a workflow can be avoided or circumvented.
Humans are capable of finding alternative ways in order to misuse applications, services, as they understand the context of use. Therefore, they are able to test the workflow or how the input of users could be misused, which an automatic scanner cannot.
Finally, once a penetration test is done, a detailed technical report with the flaws and attacks conducted is given. It also includes practical remediation suggestions that can be directly applied. The initial higher cost of penetration testing is counterbalanced by the time saved of technical teams. Pentest is a turnkey solution.
Choosing between one or the other depends on your context: other security measures already done or in place, specific risks, budget envelope… They answer different needs and different situations.
If you have to choose between the two, take some time to think about each solution, and contact providers of each service to have a direct exchange about your specific context.