Penetration testing versus vulnerability assessment
A major difference between testing and vulnerability assessment is essentially the exploitation part. You don't perform exploitation in vulnerability assessment, but exploitation is the main focus and actual result of a test.
Here are some other noteworthy differences:
|
Differentiators |
Vulnerability assessment |
Penetration testing |
|
Automation |
Can be fully automated, up to the level of satisfactory and reliable results. |
Can be automated up to a certain extent but it takes a skilled individual to look for all possible loopholes and actually use that information to exploit and penetrate the system from different entries altogether. |
|
Time |
Since it can be automated, it obviously takes less time and depends on the number of checks and number of systems it is checking. But mostly it can be done in a matter of minutes on a single machine. |
Since it is manual, it needs human efficiency and creativity to think out of the box and exploit the vulnerabilities in order to gain access. It can take days to completely gain access to a system that is adequately secured. |
|
Noise Level |
Passive and creates less logs |
Noisy and aggressive; creates a lot of logs and can be very messy |
|
False Positives |
Reports false positives |
Eliminates false positives |
|
Approach |
Programmed |
Intuitive |
|
Nature of tests |
Identical tests/scans |
Accurate/thorough |
|
Exploitation |
N/A |
Complete access on system |
