Wedgies & Penetration Testing

In information security, what is the difference between a vulnerability assessment and a penetration test? A penetration test is a vulnerability assessment with the addition of exploitation attempts and manual investigation. A penetration test is not a subset of a vulnerability test, it is an addition to it and has the following benefits.

  • Inspires Corrective Action

  • Helps Organizations Understand Impact

  • Identifies False Positives

  • Measures Defensive Response

 The image above illustrates the first two benefits of a penetration test showing that a vulnerability assessment identifies vulnerabilities, but a penetration test demonstrates impact through exploitation. The exploitation shows an uncomfortable level of exposure but is harmless.  Because it is uncomfortable and tangible, it helps organizations understand the impact and inspires prompt corrective action. Otherwise, the issues may just get added to a “To Do:” list and get delayed or drowned out  by other priorities. A penetration test also provides perspective on how the existence of lower severity vulnerabilities can, in combination, result in a high-risk situation.

Penetration tests also help rule out false positives; a reported vulnerability that is not truly a vulnerability. In our analogy, perhaps the vulnerability was identified based on the brand label of the jeans which are known to have holes. However, during the exploitation attempt it is discovered that a clear barrier has been sewn on from the inside and blocks access. This vulnerability would then be identified as a false positive.

Lastly, a penetration test has the added benefit of measuring the defensive response of the organization. Is the organization able to detect the intrusion and better yet, block it through a secondary defense?

There is another definition for a penetration test which defines it as a goal-oriented attack. In this scenario the tester has a target such as a specific file to access or administrative privileges to gain. This does not provide a comprehensive list of vulnerabilities, it only seeks to find and exploit one vulnerability in order to obtain the goal. Make sure you know what kind of test you are looking for and that you and your tester are on the same page.