(This post provides an overview of vulnerability assessment and penetration testing activities. For a deeper dive into advanced penetration testing techniques and the latest security research tune-in to Paul’s Security Weekly.)
Over the decades, many have inaccurately described vulnerability assessments as penetration tests. What is the difference between a vulnerability assessment and a penetration test? Do you need both?
Let’s start by defining some terms:
- A vulnerability assessment is a broad network (or endpoint) based scan to identify vulnerabilities. These vulnerabilities are typically classified using Common Vulnerability Enumerations (CVEs) with a Common Vulnerability Scoring System (CVSS) score between 0 and 10.
- A penetration test is an assessment of security weaknesses or vulnerabilities to determine if they can be exploited and what unauthorized activities can be conducted. Several tactics, including Exploits, can be used remotely or locally to laterally move across a network to breach data.
Based on these definitions, most organizations should start with a vulnerability assessment to help identify vulnerabilities in their environment. However, this will typically create a list of thousands, if not tens of thousands, of vulnerabilities. How do you prioritize which of these vulnerabilities are most critical to fix?
Although the vulnerability scanning companies have added better prioritization capabilities within their platforms, penetration testing tools can actually validate which vulnerabilities are exploitable, thus prioritizing vulnerabilities based on actual impact to an organization.
This is where Core Security’s Core Impact provides value. Core Impact is an easy-to-use penetration testing tool with commercially developed and tested exploits that enables your security team to exploit security weaknesses, increase productivity, and improve efficiencies.
By importing data from your vulnerability scanner(s), Core Impact can rapidly evaluate a scan’s output and provide a prioritized remediation plan of your system’s weaknesses based on real-world risk, providing the following benefits:
- Replicate Attacks to Find Security Gaps and Test Defenses
- Validate Remediation Effectiveness
- Test People and Processes
To see a discussion of Core Impact, watch the interview on Paul’s Security Weekly here.