Newbies in Information security field mostly get confused with these two terms "Vulnerability Assessment &
Penetration testing", because in both cases we have to asses
either whole security program, a system or specified security controls to find
flaws/and report these flaws to management.
There
is nothing to worry about; it is very simple to distinguish between these
terms. Vulnerability assessment is just a part of Penetration testing
or a one step to perform penetration test.
Vulnerability Assessment is a procedure to find out the flaws or weaknesses that exist in the current security environment. Vulnerability Assessments are designed to prioritized list of vulnerabilities and report them to management for the further action to be taken.
While, Penetration Testing is not just about finding and reporting weaknesses to management or to the concern persons but to exploiting those vulnerabilities to prove what impact can they would have if these weaknesses get compromised.
According to Kevin Henry the author of Penetration Testing Guide Book "Penetration testing is the simulation of an attack on a system, network, piece of equipment or other facility, with the objective of proving how vulnerable that system or “target” would be to a real attack".
Kevin Henry defined Penetration Testing in many ways but this above definition has clear the concept between vulnerability assessment and penetration testing. So, vulnerability assessment is just about diving into entities security system to find flaws and weaknesses but penetration testing is no just beyond this diving but exploiting them to get result.
No comments:
Post a Comment