Found a very neat and succinct way of defining the difference between VA and Pentesting.
During a vulnerability assessment an environment is assessed to determine if known vulnerabilities can be identified. Penetration testing goes a step further by attempting to exploit these identified vulnerabilities.
The difference between the two, in terms of identifying a need within an organization, is that vulnerability assessment can be achieved using automated tools, whereas penetration testing generally can not.
Why this is important is that vulnerability assessment and penetration testing are addressed as separate requirements of the PCI DSS… Doing a VA will not address the pentesting requirement, and vice versa.
Related articles by Zemanta
- Metasploit Project Sold To Rapid7 (news.slashdot.org)
- The 20 Coolest Jobs in Information Security (q-ontech.blogspot.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a2516fac-8e5f-4044-8b60-a3a6d737cca6)
Thanks for continuing this discussion. We look at a bit different but honestly, I just wish everyone would be on the same page because it seems like everyone is different.
Our angle:
Pentesting – an external test that tests the perimeter of a network but we do not drill down and truly penetrate unless otherwise directed
Vuln Assessment – an internal, inside-the-firewall type of testing where we scan subnets and IP’s to ensure patches, vulnerabilities, and exposures are found and limited.
Sharing this with my team, so they may comment as well. Thanks.
Thanks for the comment Brad. I had a look around based on your comments, I found this paragraph in the PCI SCC’s Information Supplement: Requirement 11.3 Penetration Testing document available from “https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf” -
“A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.”
I wasn’t actually referencing this when I initially wrote this post, but to me this provides a pretty clear delineation… Vulnerability assessments can be external too – Think in terms of what an ASV does.