The topic penetration testing vs. vulnerability assessment often raises heated discussions not only in terms of which is better, but also concerning the difference in the meaning of these software security measurement approaches.
Let’s take these two issues and make them clear.
How do they differ?
The purposes of these two security testing types are initially different. While vulnerability assessment aims to collect as many problematic security issues as possible in the given product, penetration testing aims to try the system by performing some defined actions. One can often hear an opinion that the main difference between these is simply presence or absence of exploitation. But I’d rather suggested that the line between the two methods was drawn not in terms of exploitation, but in terms of goal. Where the goal of vulnerability assessment isn’t that definite and the technique is rather exploratory, the other one always has the end goal which defines the success of every penetration test.
Which is better?
As far soon as the meaning and difference of the two testing types is clarified, the next question arising is “When should one use one and the other?” and, probably, “Which one is the best to offer the customers?” Here you may fairly expect me to say that it all depends on the customer and his project. While this seems reasonable, most prefer doing a vulnerability assessment on the project. The reason usually lies in the technical maturity of the customer, and vulnerability assessment is what seems right for customers most of the time.
Let’s briefly outline when these two types of testing are used and why, for you to be able to decide on the suitable one yourself:
- Vulnerability assessment needs only low to medium customer maturity since it’s applied when the customer suspects his product has security issues and needs help to identify them. The focus of such security testing will be on breadth as its goal will be compiling a list of prioritized vulnerabilities in the given environment so that to make a foundation for later remediation.
- Penetration testing, on the contrary, requires the customer to be highly mature in terms of understanding his project and security issues. This type of security testing is applied when the customer is sure of his system’s security measures, but wants to prove their efficiency by testing. The focus here is on depth since the goal of an assertion test is to determine if the secure system withstands a certain action of an advanced attacker.