Among the various notions about the constitution of a Vulnerability Assessment and a Penetration Test, two schools of thought mainly distinct them. While one says that a thorough Penetration Test constitutes determining a maximum number of vulnerabilities as possible, the other states that the Penetration Test is goal-specific and is not concerned with other vulnerabilities that may prevail.
However, there is no debate about which of the two is correct, but here’s an argument as to why you should believe that the latter.
Terminology
There are two different terms for a reason. If there was no difference between the two, we shouldn’t be using separate terms. Furthermore, there is already a term, security test, which compiles the list of all vulnerabilities.
Distinctive Meanings
- Vulnerability Assessment
It is suitable for people who understand that they are not positioned correctly in terms of security. The assessment is curated to fetch a prioritised list of vulnerabilities, and the aim is to identify as many issues as possible.
- Penetration Test
It is devised to attain a specific, attacker-simulated goal and is ideal for customers who have already attained their desired security posture. The test outcome is a report stating the reasons for the breach of security to reach the goal.
Physical Analog
Tiger team working for government projects is considered a good analogy, similar to Richard Marcinko, who ran with red cells. His mission included gaining command over a nuclear submarine and bringing it out in the bay.
Question of Exploitation
Exploitation is considered as a rolling ball between 0 to 100 leveraging the two concepts. A serious penetration test inclines towards representing rather than telling. It can often be shown that a vulnerability is real without full exploitation.
The assumption that Penetration test includes Vulnerability assessment
The assumption that a Penetration test includes a Vulnerability assessment is inaccurate. If you recollect, a penetration test is result-oriented and means you are successful if the goal is achieved. To be precise, it is dependent on taking advantage of vulnerabilities. Still, people often stop when they have possessed what needed to be achieved and don’t provide the customer with a complete and prioritized list of vulnerabilities.
- Vulnerability Assessment
Customer maturity level is low to medium and identifies vulnerabilities in the society so that repair/modification can be done.
- Penetration Test
Customers have a high maturity level, believe that their defence is powerful, and verify that assertion.