Penetration testing is sometimes like using a scalpel to cut down a tree: sure, it might work, but it’s the wrong tool for the job for some customers. Specifically, those who have no sense of their current security posture may feel overwhelmed by a penetration test.
What’s the difference between vulnerability scanning and penetration testing? Good question! Vulnerability scanning makes use of tools to identify known or suspected weaknesses in systems. Good vulnerability scanners these days have tens of thousands of signatures they can look for to find such weaknesses, and those signatures change almost daily. Penetration testing takes this a step further by having a human use the results of the scan to perform complex, targeted attacks on systems. While a penetration test is undeniably a more comprehensive look at security posture, vulnerability scanning can be used to get a “quick feel” and evaluate attack footprints and the like.
We at Alasdair don’t dismiss the vulnerability scan in favor of pentesting – we find value in both! If your organization is just starting down the security path or needs a quick gut-check, vulnerability scanning might be right for you. Because it’s quick and requires less manual intervention, it offers considerable cost savings as well, albeit at a cost of less depth. We use well-known tools for conducting our vulnerability scans, and even these reports are custom-created for our clients rather than being some machine-generated mess of unqualified risks (see our relevant discussion in the Penetration Testing section [link]).
Confused as to which is right for you? We’re happy to help you evaluate that decision! We pride ourselves on helping customer choose the right solution for the job, and we promise you that we won’t look to upsell you on the more complex and expensive pentest if it’s not warranted. After all, perhaps you need an axe and not that scalpel!
Sidebar: Play It Again, Sam
Despite Bogey not having actually said that in Casablanca*, it’s a reminder that vulnerability scans are often more useful when repeated periodically. This not only allows you to see changes in security state, but also whether your attack footprint is evolving. It can be a useful method for tracking progress as well. We’re happy to set up scheduled vulnerability scans if you see value in repeating the task on a regular basis.