It is not uncommon in a conversation with clients the need to explain the difference between Vulnerability Scanning and Penetration Testing, among other services that are not executed by our analysts. This is normal, and many times expected, considering the nature of these services.
Thinking on this matter, we have published some articles explaining differences and when to use some of these services, or even the difference of many services pentests, SAST&DAST, Code Review etc.
In this article, the difference between Vulnerability Scanning and Penetration Testing will be explained, two services that can raise many questions. We hope that we can contribute with a better understanding of the topic.
Understanding Pentest
We often find ourselves thinking that Pentest alone will solve all web application security issues. Or that periodic testing would ensure long-term safety.
However, in our article on Continuous AppSec Vs Pentest, we showed how the secure development process can be much better and more efficient than using only periodic Penetration Testings.
In another post, now talking about Types of Pentests – White, Gray and Black Box, we show the difference between the various types of tests that can be performed and how each can be used.
Now it’s time to explain the benefits of conducting Vulnerability Scanning and Pentest together, and what are the characteristics of each one of them.
Since we know that Pentest is already a familiar concept to security information professionals, we will not extend into this topic.
However, if you want to better understand intrusion testing, we invite you to read our articles above. We believe that this information and comparisons with other services will make it easier to understand the topic.
Of course, Pentests and Vulnerability Scanning are different services, but keeping certain similarities always brings some doubts.
Let’s take a closer look at Vulnerability Scans.
Vulnerability Scanning X Pentest
Vulnerability scanning is an automated process that uses tools to scan for known security vulnerabilities in your systems.
From this, Scan generates an extensive report of potential vulnerabilities that could threaten systems.
Intrusion test, on the other hand, consists of manual processes that take advantage of the information found in vulnerability reports generated by Scans. This allows pentester to exploit these vulnerabilities and gain access to sensitive data.
Using Vulnerability Scanning periodically helps build your system baseline, allowing vulnerabilities to be more easily identified in case of abnormal changes.
Typically, this type of testing is performed to validate the security measures of a system or network and, as an automated process, does not require the involvement of team members.
In addition, Vulnerability Scannings are very important in helping to verify the security settings that have been used.
That’s because even if the service is automated and more technology-dependent than individual-dependent, we still need experienced analysts to validate the conclusions that can be presented in the reports.
And, in addition to reporting analysis, it is important that analysts have full knowledge of the structure and processes within their chosen scope. This will help them to be more efficient not impacting the process.
Two types of Vulnerability Scannings
However, we need to remember that vulnerability scannings have their own categories: There are two types of scannings that can be used.
The first is vulnerability scanning using authenticated user or system characteristics. And, as we can imagine, the second model has a scan feature with unauthenticated systems or users.
An authenticated vulnerability scanning can be deeper as part of an already guaranteed access information, allowing to explore more structures within the system.
Unauthenticated vulnerability scanning, on the other hand, can only act on information that is already known – or publicly available.
In general, the two models are important but have different functions and can be used each for their own purpose. Unauthenticated vulnerability scanning is generally used to identify the security posture of the system.
How tools can validate vulnerabilities?
It is interesting to know that vulnerability scanning tools work with a list of regularly published and updated vulnerabilities, which should already be known.
A feature of the tools is that vulnerability signatures are only added to lists after having known fixes for these vulnerabilities
This feature has a positive value as it does not allow them to be used by malicious attackers in search of vulnerable systems. As a consequence, they also present a problem as they identify vulnerabilities only when they already have a fix. That is, for a while, systems that rely solely on this tool to identify vulnerabilities end up being vulnerable.
Therefore, this feature alone already demonstrates that performing vulnerability scanning services cannot be used as the sole basis for securing a system, as it already has a vulnerability database, at least not presenting the vulnerabilities. newer.
Where to search for good practices of Vulnerability Scannings and Pentest?
The Center for Internet Security (CIS) has an interesting document entitled 20 foundational security controls, and these controls help set priorities and periodicity for these two types of tests we are discussing.
According to this document, in control # 3, which talks about vulnerability scan tools, two points can help us understand how to best adjust these tests.
The first point is the use of automated tools to perform vulnerability scan tests, and as the document describes:
“Always use an automated vulnerability scanning tool that supports the SCAP validation process so that all systems are automatically scanned at weekly intervals, and if your system is most critical to identify potential vulnerabilities.”
Regular automated scanning is important to stay informed of new vulnerabilities, as well as changes made to systems.
Using periodic and automated checks provides valuable insight into the true state of all systems, which helps prioritize and adjust remediation processes.
In the second point, the CIS document addresses the indication of automated and authenticated testing on systems, both by performing local and remote tests.
Authenticated X unauthenticated vulnerability scannings
Performing authenticated vulnerability scannings produces much more accurate audit results because it comes down to data and information.
Unauthenticated checks, in turn, only collect data related to what the verification tool can “see” from outside the system.
Therefore, as we mentioned above, when performed authentically, the checks allow the tool to have more in-depth results.
Of course, the data collected in both types of tests is important, but we know that data collected through authenticated checks provide much more information.
Control # 20 deals with intrusion testing, and likewise, we have the first two points regarding our article.
Control Point # 20 says that an intrusion testing program should be implemented and maintained, with a testing scope that encompasses more critical attacks on web systems.
This is because creating and maintaining a program helps identify critical vulnerabilities in systems exposed to the Internet, and this reduces the potential for data and system compromise.
However, as we put in previous posts, just running intrusion tests on systems doesn’t guarantee security, it just helps us identify vulnerabilities that are already in the system.
The second point of the controls leads us to identify the need to have a periodicity within the testing program, thus allowing an acceptable time window to be maintained between one test and another.
This time window must be determined according to the criticality and importance of each system. The important thing is to maintain the tests, and try to do both types: Vulnerability Scanning and Penetration Testing.
What have we concluded about Vulnerability Scanning & Penetration Testing?
It is interesting to see that many of the tests we perform and find on the market are complementary in their performance, but, curiously, few realize this.
We have noticed that there are a large portion of professionals who do not pay attention to the importance and timing of each test, continuing to seek solutions as tools or even tests that are not indicated or needed in a given scenario.
Massively performing Vulnerability Scanning, working in conjunction with Penetration Testing on a regular basis, is the best way to ensure that vulnerabilities are identified as early as possible, minimizing application risks.
This has deep roots: in the rapid migration to development models where all practitioners perform various activities, but for some reason have not been adequately educated in their new goals.
Therefore, this shows us that further training and dissemination of knowledge is still necessary. This way we will be able to clarify each of these test models more and more.
And you: how do you see these tests?
