It amazes me that most of the “security companies” that offer penetration testing services don’t know what penetration testing is. Specifically, they don’t deliver penetration tests even though they call their services penetration testing services. In most cases their customers think that they’re receiving penetration tests but instead they’re receiving the lesser quality vulnerability assessment service.
When customers are looking to purchase penetration testing services they should receive penetration testing services. Likewise, when they’re looking to purchase vulnerability assessment services they should receive vulnerability assessment services. Unfortunately, customers won’t know what they’re receiving unless they clearly understand what those services are and how those services are defined. The services are not interchangeable and they are entirely different.
The English dictionary defines a Penetration Test as a method for determining the presence of points where something can make its way through or into something else. Penetration testing is not unique to Information Security and is used by a wide variety of other industries. For example, penetration testing is used to test armor by exposing the armor to a level of threat that is usually slightly higher in intensity than what it will face in the real world. If the armor is defeated by the threat then it is improved upon until it can withstand the threat.
The standard product of penetration testing is a report that identifies the points where penetration is possible. If the service that was delivered was a real penetration test then the report cannot contain any false positives. You either penetrate or you don’t, there is no grey zone. If the report contains false positives than a service that was delivered was not a true penetration test and was likely a vulnerability assessment which is an entirely different and lower quality service.
A Vulnerability Assessment as defined by the English dictionary is a best estimate as to how susceptible something is to harm or attack. Vulnerability assessments are often used where penetration testing is too risky. Specifically, a vulnerability assessment might be used to assess the Eiffel Tower, the Statue of Liberty, the strength of a bridge, etc. The important difference between Penetration Tests and Vulnerability Assessments is that Vulnerability Assessments do not prove that vulnerabilities exist but instead provide a best guess as denoted by the word “assessment”.
With regards to IT Security, Vulnerability Assessments test at a lower than real world threat level. This is because Vulnerability Assessments do not exploit the vulnerabilities that they identify yet malicious hackers do. Vulnerability Assessments alone are inadequate when it comes to providing deep and effective testing services but are useful for performing quarterly maintenance and checkups.
Lastly, don’t allow your vendor to confuse methodology with service definition. Methodology defines how a service is delivered but not what a service is and from what perspective. With regards to security testing there are only two core services , Vulnerability Assessments and Penetration Tests. You can apply those services to Web Applications, Networks, People, Physical Locations, WiFi, etc. For example, you can receive a Web Application Penetration Test, or a Network Vulnerability Assessment. You wouldn’t need to receive both a Vulnerability Assessment and a Penetration Test against the same target as that would be redundant. A Penetration Test covers the same ground as a Vulnerability Assessment only with even more depth, and accuracy.