Pen-Test vs Vuln-Scan

I entered into a bit of debate amongst some experts that I respect recently while discussing Penetration Tests, Vulnerability Scans and similar activities.  It seemed we were all saying the same things, but coming to drastically different conclusions.  It’s important in my line of work to understand (and have understood) what a Pen-Test is, what it isn’t, and also to differentiate it from a Vulnerability or other Scan.  Otherwise we would just be doing Pen-Tests everywhere on everything…

  •  A Penetration Test by examining the name, implies an external test on a targeted service.  You are attempting to penetrate _­something_.  It can be a firewall, a web interfacing application that leads to a database, or some other exposed service.  Generally the exploit being tested is “run” to some extent in order to identify its effectiveness and applicability, even if only to get a return code or error indicating the presence of the vulnerability.  Pen-Testing is generally manually performed, active in nature, although some automation has been introduced in newer tools.  OWASP provides much guidance in what to test for.
  • A Vulnerability Scan is an internal or externally originating test of a target system and its software components, looking to ENUMERATE, but not exploit, known vulnerabilities in software or a few specific configuration items (no SA password, too many admins, etc.).  Vulnerability Scanning is largely automated.  It uses specific signatures (registry keys, file version/size, etc) to trigger and is passive in nature.  CVE is the standard record referenced.
  • Hardware, firmware and mis-configurations can introduce exploitable vulnerabilities, however they are generally considered part of CONFIGURATION (or hardening) scanning rather than VULNERABILTY scanning.  We are expected to put configuration items like systems together based on a specific standard, and config-scans check that these standards are met.  Their existence is generally not discovered by, but can be indicated by and exploited in a Pen-Test or Vulnerability Scan.  Configuration Scanning is typically automated and passive in nature.  SCAP is the standard most often referenced.

Pen-Test Tools, Vuln-Scanners & Config-Scanners are blurring the lines in some cases, as they combine and add features and overlap offerings, however their full capabilities are generally sold as discrete modules by vendors in order to maximize revenue.

 The scope of Vulnerability Scanning is not the same as that for Penetration Testing. 

  • Penetration Testing should be done on specific interfaces or points of presence that are offering specific services.  
  • Vulnerability Scanning should cover EVERYTHING in the environment.  Software and O/S vulnerabilities are pervasive, but may not directly offer attackable services, and if not managed broadly, will eventually expose a path to the crown jewels. 
  • Config Scanning should be done on everything too, but uses a specific benchmark for each system configuration based on the services provided and hardening requirements of the system identified by policy.

 The intention of each scan is the same; to identify weaknesses within the environment, but their execution, scope and deliverables are completely different.

 Here is an article that supports most of the above:

Just another 2¢ provided by your friendly neighborhood InfoSec Manager.  Feedback and opinion are always welcome…