Vulnerability Assessment vs Penetration Testing

[Nytro]

Vulnerability Assessment vs Penetration Testing

Few topics in the infosec world create as much heat as the classic "vulnerability assessment vs. penetration test” debate, and it’s no different in the web application security space. Sadly, the discussion isn’t usually around which is better. That would actually be an improvement. Instead the debate is usually semantic in nature, i.e. the flustered participants are usually disagreeing on what the terms actually mean. Step 1: agree on terms.

So, I’ll be ambitious here and will tackle both subcomponents of the debate here: 1) what the terms actually mean, and 2) which is better for organizations to pursue.

Web Vulnerability Assessment vs. Web Penetration Test

It’s worth stating explicitly that these two types of security test are in fact quite different. Many make the mistake of thinking that a penetration test is simply a vulnerability assessment with exploitation, or that a vulnerability assessment is a penetration test without exploitation. This is incorrect. If that were the case then we’d simply have one term that we’d qualify with “with or without exploitation".

A web application vulnerability assessment is fundamentally different from a penetration because its focus is on creating a list of as many findings as possible for a given web application. A penetration test, on the other hand, has a completely different purpose. Rather than yield a list of problems, a penetration test’s focus is the achievement of a specific goal set by the customer, e.g. "dump the customer database", or "become an administrative user within the application". Also important to note is the fact that a penetration test is successful if and when the goal is acheived–not when a massive list of vulnerabilities is produced. That’s what a vulnerability assessment is for.

Some are tempted to say that this is a goal-based penetration test. My question to them is simple: "As opposed to what other type?" Penetration testing is goal-based. That’s its entire purpose. Even a customer direction as nebulous as "see what you can do" is absolutely a goal. It’s an implicit goal of getting as far as you can given whatever constraints are in place.

The question of exploitation is another obstacle to clarity on this topic. Many have a simple binary switch for using the terms: "If there’s exploitation it’s a penetration test and if not it’s a vulnerability assessment." Again, the key difference here is list-based vs. goal-based–not exploitation. It’s possible do do (or not do) exploitation in both types of test. You can have a web vulnerability assessment where you are to exploit anything you find, and you can have a penetration test where you are asked to confirm that you can do something but not do it. Exploitation is an independent attribute that can be attached to either type of test.

When to Use One vs. the Other

Now that we see a distinction between terms, the next question is, "Which one is best?" Which should we be offering customers? As you may expect, the answer is that it depends on the customer and the project, but in my experience the answer will usually end up being a vulnerability assessment. Why? Because vulnerability assessments (getting a list of everything that needs fixing) is usually where most customers are in terms of maturity.

To tightly summarize:

via h30499.www3.hp.com

Daniels dissertation on this matter is excellent. As the security landscape changes we will see more actual pentests occur, but right now most of what your testers are doing are assessments sold as pentests.

That isn’t a bad thing. Pentesting is sexy because it has been market that way, not necessarily because it is better (or even a more fun project to work on) but because it fits a FUD marketing niche.

When I DO do a an actual penetration test I prefer pentests with open goals that, within context to a business, my team can go after what they think effects the business the most.

It’s an important distinction that what the business "thinks" is the crown jewels and keeps them in running (or is most valuable) is not actually what can hurt them the most. Some of our best attacks have been side channel, crazy things that have shown some of our awesome customers better ways to secure themselves.

Assessments and Pentests will probably continue to be muddled terms hacked together by sales guys who work for bad consultancies for years to come. It’s important to testers and PM’s to know the real differences though.

There is an even longer version of this discussion on his blog (http://danielmiessler.com/writing/va_vs_pt/#).

November 2, 2011 Jhaddix

Sursa: http://www.securityaegis.com/vulnerability-assessment-vs-penetration-testing/