The question of whether to do a vulnerability assessment versus a penetration test will probably come up as you look at your security testing plans.  Some folks have a strong preference of one over the other, but both are valid if used appropriately and in the right situation.  Deciding which to use is pretty straight forward.  Let’s just jump into it.

Vulnerability Assessment

The goal of a vulnerability assessment is to find hosts, services and the vulnerabilities that are in a set of assets.  Potential vulnerabilities should be validated to make sure false positives aren’t reported on.  A vulnerability assessment will not give you give a complete picture of risk and impact for your organization.  The severity of vulnerabilities are rated on an individual basis and not how they interact with each other.

Here are some examples of when you should use a vulnerability assessment:

• The organization has not done much or any security testing before.  Start with baby steps.
• Testing needs to be done frequently.
• Your organization is good at fixing vulnerabilities quickly.

Penetration Test

A penetration test requires the same steps as a vulnerability assessment, but then actually exploits the vulnerabilities found.  The assessment’s goal is to see what can be done with vulnerability and how the vulnerabilities can be combined.  Issues that would be rated with a medium severity could become high severity flaws when they are put together.  A good penetration test adds context to the vulnerabilities found.

You should do a penetration test when you:

• Have already done vulnerability assessments and have been fixing issues.
• Need an overall assessment of risk and how vulnerabilities can be used.
• Want to simulate a likely attacker that is going after your organization.
• There are compliance and contractual requirements to do a penetration test.
• Need ammunition to get something fixed. (Politics suck)

Who Should Perform the Assessments

Who should perform the tests depends on a few factors.  A vulnerability assessment is a good candidate for internal employees to do.  It’s easier to work them into the normal responsibilities of your staff.  Plus, they can be performed more often without incurring a lot of extra cost.  It would be a good idea to have a third party perform a vulnerability assessment if you do not have the tools, staff or experience to perform one.  However, you can ask the third party to help you in the learning process.  Once you get enough experience, you can take it over.

Penetration tests are usually better done by a third party.  You may have internal employees who are totally capable of performing a penetration test.  However, they usually have other responsibilities and aren’t allowed the time to do the test.  Compliance requirements usually want a third party to do a penetration test to avoid the appearance of bias.  If you have staff that you can dedicate only penetration testing, then go for it.  If not, then you should look having third party doing a penetration test.

So that’s the basics of when to do a vulnerability assessment or a penetration test.  There are other considerations that may apply to your situation, but the core questions are pretty straightforward.