Vulnerability means Security gap.
Vulnerability Analysis or Vulnerability Assessment is the process of discovering security gaps or vulnerabilities. Many false positives sometimes termed as potential vulnerabilities.
To perform VA, set of softwares are required.
VA apps are dependent upon the Vulnerability Database almost equivalent to Anti-Virus Signatures.
Vulnerability Database fetches the details from CVE -Common Vulnerability Exposure.
*The advancement of the VA in the domain of Artificial Intelligence (AI) and Machine-Learning (ML) – Autonomous or Self-initiating the VA scan engines has already emerged.
AI and ML integrated in the VA engine cannot override human intelligence. Although some people think it will happen in the near future.
Reports are very intuitive as it is built by many large organisations. Separate reports for Executives, IT Security, Stake Holders, CIOs, CISO, Score Cards so on and so forth.
Vulnerability Assessments (VA) can only show the remediation what is already present in their database mostly CVEs. However, lot of big VA companies claim they have Vulnerability Researchers.
VA determines at a scale about the vulnerabilities
iii. Web apps
iv. Mobile apps
v. Internet of Things (IoT)
Unauthenticated or VA without the credentials will only discover what is visible to the external.
Authenticated Vulnerability Assessment with credentials are widely used in the enterprise (especially with AD/ LDAP domain creds/app creds). It will just point out where the location of the version of the vulnerability.
VA will never be able to custom draw the network topology. Not to be confused with the Network Monitoring and Management Systems. Knowing the Topology is essential before gaining access.
VAs do not build the custom packets to evade the security layers like Web Application Firewall (WAF), firewall, intrusion prevention/detection systems (IPS/IDS) so on & so forth.
The intent is to fix the existing vulnerabilities of the infrastructure by what is present in the Vulnerability Database.
VA apps will never understand the hackers methodology or discover the attack vectors.
Compliance requirement for ISO 27001 – Information Security Management Systems ISMS.
Vulnerability Assessment is far ahead than the Security Audits. Continuous Vulnerability Assessment is essential.
Do not have the ability to custom code payloads and/or exploits to find out whether it is false-positive or false-negative.
VA cannot assess the Insider Threats.
VA cannot perform Social Engineering tests such as the Phishing/Vishing assessments.
Penetration Testers perform security assessments to find the vulnerabilities.
Penetration Testing is the process of exploiting vulnerabilities to prove the vulnerability is a genuine one or not. It means whether the found vulnerability is false-positive or false-negative.
Pen Test is always manual. We automate it with our scripts to ease the process.
Pen Testing or PT solely depends on the security practitioners expertise.
Pen Testers even find Zero days and publish it to CVEs.
Although there are many automated tools for PenTesting. Nothing has ever come close to the PenTesters expertise and the different attack vectors.
AI and ML in the VA engine or our scripts baked with AI/ML will complement it to do only repetitive tasks or the datasets that we feed into it.
Reports are manual and it is custom mapped by PenTesters if there are any CVEs or CVSS IDs. Else they will just mention it as a newly discovered and its impact.
Always a Proof-of-Concept (PoC) with screenshots, logs and the logs. It can be reiterated to demonstrate the genuineness of the vulnerability.
PT goes very deep than any traditional vulnerability scanners can reach. PenTesting can be done for any things and everything but it solely depends on the pentester knowledge. PenTesting even for Zero days and undiscovered vulnerabilities by the VA apps so that it will be updated in the CVE database.
External PenTesting goes far ahead as we discover lot of other things which VA cannot
White Hat Pen Testing or IT Security Assessment is again equivalent but not the same as it requires a PenTesters with the credentials and their expertise to prove whether it is a false-positive or false negative with the screenshots, Proof of Concept and logs.
PT will always have the ability to understand the Defense-in-Depth (DiD) and draw a network topology. We usually do it in the Reconnaissance, Scanning phase.
PenTesters will evaluate and create a custom packets and create a path bypassing or evading all the security mechanisms or defense-in-depth strategies.
The intent is to safeguard the entire organisation by simulating multiple attack vectors before malicious hackers do.
PenTesting is performed to analyze from the malicious hackers perspective.
Compliance requirement for CCPA, GDPR, HIPAA, PCI-DSS. Good to have even for ISO 27001
Pen Testing goes an extra mile than any Vulnerability Assessment apps could ever reach. The depth of the vulnerability.
Pen Testing is usually performed manually. We develop payloads and exploits. We even write custom scripts.
PT can perform insider threats assessment too.
PT performs Social Engineering such as Phishing and Vishing assessments.