What is actually the difference between a Vulnerability Scan and a Penetration Test? There seem to be interesting misconceptions about this, as we would like to show with the following practical example.

Automated penetration tests often not usable

We were recently approached again by a prospective client who, in a regulated environment, was required by the regulator to submit a penetration test for their application. We had been in discussion with the interested party for some time and learned from the recent discussion that they had decided at that time to use an automated testing procedure by means of a “Penetration Testing Platform”. Such platforms promise to carry out fully automated penetration tests against the target application – in this case a web application – in return for payment of a monthly subscription fee.

Now the result – the “Penetration Test Report” – was submitted to the supervisory authority – and came back with the note that the contents were not usable. It was exclusively an automated vulnerability scan, but not a comprehensibly documented attempt to exploit the vulnerabilities.

In penetration tests, the know-how of the tester is crucial

And this is exactly the essence of a penetration test: the attempt to actually exploit identified vulnerabilities with appropriate means – a vulnerability scan, on the other hand, focuses on the detection of vulnerabilities. While such vulnerability detection can be highly automated in many environments, this is only partially true for penetration testing. Penetration testing is an activity that depends on the know-how and practical knowledge of the tester. Because: considerable parts of a penetration test are manual work. Not all activities can be automated – and where things are automated, individual production and parameterisation of the automation tools (e.g. scripts) is usually required. It should also be added that, depending on the environment, even the identification of vulnerabilities – i.e. precisely what is classically the subject of a vulnerability scan – requires enormous expertise on the part of the tester. While an automated scan usually provides a complete picture of vulnerabilities in IT infrastructures (e.g. virtualised servers in on premise or cloud environments), this is only possible to a limited extent in applications. Here, specialists and their experience and know-how are needed.

Back to our prospective customer: Believing in good faith that he would receive a meaningful penetration test report from the “Penetration Testing Platform”, he took out a subscription (which – by the way – costs a few euros per month) and has been paying for almost a year – only to discover that the result does not keep its promise. Our recommendation: whenever providers advertise a fully automatic solution to a problem, you should take a close look and check what is being offered for the money. This prevents expensive wrong decisions.
At TEN Information Management you get IT security investigations tailored to your needs – inexpensively, seriously and competently. Just like the interested party mentioned in the example, for whose application we have now carried out a “real” penetration test.

Interested? We are happy to be at your disposal for a free initial consultation.

More articles

“The cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.” (Bruce Schneier). The quote comes from the context of the LastPass breach...
Checks of IT security are useful and advisable for a variety of reasons. External reasons such as regulatory requirements – the KRITIS regulation or the IT security law are examples – may require such reviews....
Instant 27001 is a solution that saves an enormous amount of time and money when setting up and operating an ISMS according to ISO 27001. Users benefit not only from the fact that Instant 27001...