Found a very neat and succinct way of defining the difference between VA and Pentesting.
During a vulnerability assessment an environment is assessed to determine if known vulnerabilities can be identified. Penetration testing goes a step further by attempting to exploit these identified vulnerabilities.
The difference between the two, in terms of identifying a need within an organization, is that vulnerability assessment can be achieved using automated tools, whereas penetration testing generally can not.
Why this is important is that vulnerability assessment and penetration testing are addressed as separate requirements of the PCI DSS… Doing a VA will not address the pentesting requirement, and vice versa.
Related articles by Zemanta
- Metasploit Project Sold To Rapid7 (news.slashdot.org)
- The 20 Coolest Jobs in Information Security (q-ontech.blogspot.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a2516fac-8e5f-4044-8b60-a3a6d737cca6)
