What is the difference between Penetration Testing and Vulnerability Assessment?

bspeka
3 min readJun 17, 2021

--

Intro

We’re at bspeka often get requests for Penetration Testing, but it does not always mean Penetration Testing. That's why we’ve decided to write this article.

Vulnerability Assessment and Penetration testing both are options for Security Testing. Let’s dive into this topic and try to cover the main aspects of these processes from the Application Security point of view.

Goal

Vulnerability Assessment is the process of identifying threats and vulnerabilities on a target application. The goal of vulnerability assessment is as many vulnerabilities as possible in a limited time frame and within the testing scope.

Penetration Testing is a controlled attack simulation that helps to identify susceptibility to application breaches. The goal is to gain unauthorized access through exploitation which can be used to emulate the intent of a malicious hacker.

Time

From a time perspective Penetration Testing and Vulnerability Assessment are usually limited by 2 weeks timeframe and really depends on application complexity and a number of features.

Report

The Vulnerability Assessment report includes all security issues discovered in an examined application. While Penetration Testing report describes only the way (chain of features, security flaws, misconfigurations) of getting higher privileges in the tested application.

So Vulnerability Assessment report will be the list of issues:

The Penetration Testing report is written like a story:

I’ve opened the application and found the login form. I’ve tried to enter the credentials admin/admin and …

For example, you’ve developed yet another CMS for a news site. And its’ features look like this:

Vulnerability Assessment Report will include issues discovered in these features:

While the Penetration Testing report most likely will include the following issues:

Important note: Penetration Testing envisages exploiting discovered weaknesses to go deeper and deeper. And the report includes a step-by-step exploiting description.

Checklist

We’re at bspeka sure that the customer must get proofs of security test coverage during the Vulnerability Assessment. We use OWASP Testing Guides and Checklists based on these documents.

For example for Mobile Application Vulnerability Assessment (iOS and Android), we use the checklist from this GitHub repository or this for Web Application Vulnerability Assessment.

Summary

You’re free to choose any type of security testing for your application, but our recommendation is to start from Vulnerability Assessment to cover all Attack Surface and leave an attacker without low-hanging fruits.

The following table can be used as a small crib:

We’re open to answer any of your left questions in our contact form.

Originally published at https://blog.bspeka.com.

--

--

bspeka
bspeka

Written by bspeka

We're helping organizations identify and address potential security vulnerabilities in applications and infrastructure.