Nowadays technology moves at breakneck speed with improvements, enhancements and fixes for operating systems and applications constantly being released. Technology functionality has never been more customisable, with ever increasing options becoming available to users and administrators. As a result, ensuring no new vulnerabilities have been introduced into your environment is an on-going battle. This is where vulnerability assessments (VA) come in. Instead of the more manually driven penetration testing exercises, a VA is designed to identify these vulnerabilities in your systems but using a far more automated approach with the use of security scanning and testing tools.
Vulnerability Assessments vs Penetration Testing
These terms are regularly seen in the cyber security space, and the line distinguishing the two can sometimes start to blur, but there are several factors that can help define the two:
Cost
Often the first consideration when procuring security services – a general rule of thumb is that a pen test of any given system is likely to be more expensive than a vulnerability assessment. With a vulnerability assessment, most of the work is being done by automated tools, with some manual assessment/review of the results, and as such will often have a lower price point than a fully manual pen test.
Depth of Assessment
A vulnerability assessment is typically aimed at detecting the easily detected vulnerabilities that may be present in your systems. These are the vulnerabilities that your average attacker would be likely to find and potentially leverage during basic reconnaissance of your organisation. These can also be seen as entry points into your systems and data, and remediation of these should considerably reduce the risk of a breach of your systems.
Length of Assessment
Vulnerability assessments rely on commercial scanning tools, and as these can run autonomously, they can be scheduled to perform scans 24 hours a day until they complete. For example, a manual penetration test may be able to cover 10 systems in a day, a vulnerability assessment may be able to scan 100 systems in the same timeframe. This should mean a much shorter time from assessment, to report and remediation.
Where does a vulnerability assessment fit into your security programme?
You may be wondering why conduct penetration testing if you do vulnerability assessments, or vice versa. The simple answer is that they are two different types of assessment that should be used together to form an on-going cyber security programme. You should supplement your regular penetration testing with vulnerability assessments in between to ensure that your systems are secure throughout the year.
Neither type of assessment should be seen as a replacement for the other: only performing vulnerability assessments may lead to vulnerabilities that require skill and manual techniques to discover and exploit going undiscovered, and a testing plan that consists of penetration tests performed every month is not an effective use of a security budget.
Vulnerability assessments can also be used in conjunction with a risk-based approach to your security testing by focusing manual penetration testing