Penetration testing or vulnerability scanning

Pentesting and vulnerability scanning are often confused for the same service. The problem is, business owners often use one when they really need the other. Let's dive in and explain the differences.

People frequently confuse penetration testing and vulnerability scanning, and it's easy to see why. Both look for weaknesses in your IT infrastructure by exploring your systems in the same way an actual hacker would. However, there is a very important distinction between the two - and when each is the better option.

Manual or automated?

Penetration testing is a manual security assessment where cyber security professional attempts to find a way to break into your systems. It's a hands-on, in-depth test to evaluate security controls across a variety of systems, including web application, network and cloud environments. This kind of testing could take several weeks to complete, and due to its complexity and cost, is commonly carried out once a year.

Vulnerability scanning, on the other hand, is automated and performed by tools which can be either installed directly on your network or accessed online. Vulnerability scanners run thousands of security checks across your systems, producing a list of vulnerabilities with remediation advice. So it's possible to run continuous security checks even without having a full-time cyber security expert on your team.

One-off or regular?

Penetration tests have long been an essential part of many organization's strategy to protect themselves from cyber attack, and an excellent way to find flaws at a certain point in time. But penetration testing alone can leave organizations defenceless inbetween testing.

Performing annual penetration tests as a primary defence against attackers has long been an essential part of many organisation's strategy to protect themselves from cyber attack, for good reason. And while it is certainly better than doing nothing, it does have a fairly significant drawback — what happens between tests?

For example, what happens when a critical new vulnerability is discovered in the Apache web server operating a sensitive customer portal during that long year between their annual pentesting? Or a security misconfiguration is made by a junior developer? What if a network engineer temporarily opens up a port on a firewall exposing a database to the internet, and forgets to close it? Whose job is it to notice these issues which, if left unchecked, could result in a data breach or compromise?

Pentesting is not enough

Without continuous monitoring of issues such as these, they wouldn't be identified and fixed before attackers got the chance to exploit them.

Companies that need robust physical security often boast of having 24/7 automated solutions to deter attackers 365 days a year. So why do some treat cyber security any differently? Especially when on average 20 new vulnerabilities get discovered every single day.

So you can see why infrequently scheduled pentesting alone is not enough. Here's a simple analogy: it's like checking the locks of your high-security premises once a year, but leaving it unmanned or not checking if it's secure until your next annual once over. Sounds crazy, right? Who's checking that the door's locked?

Around the clock coverage

While some companies still use annual pentesting as their only line of defence, many are starting to see how frequently new threats arise and the value of continuous, automated threat scanning.

Scanning on a regular basis with a vulnerability scanner like Intruder complements manual testing by providing organisations with ongoing security coverage between manual penetration tests. Intruder's automated scanner runs around the clock alerting users to new vulnerabilities as soon as they appear.

Vulnerability scanning is already the first port of call for companies of all sizes, with expert manual penetration testing included in solutions like Intruder's Vanguard employed as a powerful backup.

It's not enough to simply do one or the other. Thankfully, awareness is increasing of the need for a strategy which provides protection all year round.

Intruder's continuous vulnerability scanning service helps you keep on top of the latest vulnerabilities and alerts you to emerging threats which affect your most-exposed systems. Get started with a free trial today.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.