Vulnerability VS Penetration Testing
Vulnerability and penetration testing are both techniques to develop more secure and stable infrastructures while minimizing risk as much as possible. However, there is a difference in how each is approached.
Vulnerability testing is a type of technique where one picks a target, identifies the attack surface within the given scope and then diligently finds the different vulnerabilities present within the scope. In vulnerability testing one can find one or more of the following:
- Zero-day vulnerabilities
- Known vulnerabilities:
- With exploits available
- Without exploits available
- Chain of more than one vulnerability making a non-vulnerable service vulnerable
On completing vulnerability testing a detailed report is generated which allows our clients to identify the risk, business impact, level of severity, and cost and time to mitigate the findings to better secure the infrastructure.
Just finding known vulnerabilities does not mean the work is done and a patch has to be put in place. Instead, we further investigate the aspects which are listed as vulnerable. For example, if a client is using vulnerable version of web server but does not use a specific vulnerable module which would make the version vulnerable, we let our client know that overall the web server is safe as long as it does not use the stated module, hence saving cost and time for our clients.
Every vulnerability is also given a CVSS score, which further allows our clients and partners to prioritize the mitigation, as needed. We keep in mind during vulnerability testing that it does not matter if a known vulnerability has an exploit available or not, as we do not exploit the vulnerability once it’s established that there indeed lies a vulnerability.
On the other hand, penetration testing shares all the aspects of vulnerability testing mentioned above with the addition of actually exploiting the vulnerabilities found. This however is a costly and time consuming process which we do not recommend, as an attacker has close to an infinite number of hours to exploit vulnerabilities and make an impact on business logic. The point being that as soon as vulnerability is proven present, mitigation must be carried out.
We are present during and after delivering the vulnerabilities report to explain our findings and to discuss the mitigations with the team of our partners.