Cybersecurity Services - Cybersecurity Guides
Penetration Testing and Vulnerability scanning do overlap a little and some people incorrectly use them interchangeably, but the short answer is, YES, you absolutely need to do both, and for good reason.
Pen Testing vs Vulnerability Scanning: Do you Need Both?
CIS Control 07 covers continuous vulnerability scanning. This is based on automated software scanning and only looks for very specific known vulnerabilities against a database. Vulnerability scanning should be conducted proportionally to the size and complexity of the environment. Small businesses tend to conduct scans on a quarterly basis and larger organizations conduct more frequent scanning, typically daily. I would say the average today is on a monthly basis, which is a reasonable frequency for discovering new vulnerabilities, along with the patches/fixes to address them.
CIS Control 18 covers Penetration Testing, which is a much more sophisticated test, but very manual, work-intensive, and expensive. It’s not practical to conduct ongoing Pen Testing. It’s important to do this yearly at a minimum and also following any major changes to the environment. That said, it is much more likely to discover potential weaknesses through Pen Testing and can provide a greater level of detail, including how a particular vulnerability could be exploited in your environment. The CIS and other leading frameworks make a clear point to separate the two because they need to be managed and conducted separately, but each are important to harden your environment.
Here is an excerpt from the CIS Controls document on this:
“Vulnerability testing just checks for presence of known, insecure enterprise assets, and stops there. Penetration testing goes further to exploit those weaknesses to see how far an attacker could get, and what business process or data might be impacted through exploitation of that vulnerability. This is an important detail, and often penetration testing and vulnerability testing are incorrectly used interchangeably. Vulnerability testing is exclusively automated scanning with sometimes manual validation of false positives, whereas penetration testing requires more human involvement and analysis, sometimes supported through the use of custom tools or scripts. However, vulnerability testing is often a starting point for a penetration test.”
An interesting development in the industry is automated penetration testing solutions which will essentially act like a vulnerability scanner, but then take it a step further by simulating an exploitation of the vulnerability within your environment. The automation of this makes it much easier to test more frequently and it's more cost effective. The controversy here is that Penetration Testing usually leverages highly experienced ethical hackers to use the latest tools, trends and their human expertise to determine how to exploit a particular environment, which would be hard to do at the same level with a software platform. This starts to get into the AI vs Human intelligence debate. Most standards and frameworks today still recognize a true Penetration Test with a human behind the keyboard, leveraging software and tools, for the best of both worlds. As of right now, it seems like the software-based pen testing will be a supplemental method, but not a replacement.
For more information on Penetration Testing or Vulnerability Scanning, read our guides on each, links directly below!
See our list of references below
Review these sources for more information
Cyber Outlook's Penetration Testing Guide https://www.cyberoutlook.org/post/penetration-testing-guidelines
Cyber Outlook's Vulnerability Scanning Guide https://www.cyberoutlook.org/post/vulnerability-scanning
Tripwire article explaining Pen Testing vs Vulnerability Scanning https://www.tripwire.com/state-of-security/difference-vulnerability-scanning-penetration-testing
Fortinet article comparing Vulnerability Scanning and Pen Testing https://www.fortinet.com/resources/cyberglossary/vulnerability-scanning-compare
CIS Controls Version 8 https://www.cisecurity.org/controls