What is a penetration test?

What is a penetration test?

Penetration testing simulates an attack by a malicious party by using tools and manual investigation to identify weaknesses. Testing involves the exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact.

What do you get?

This approach looks at the depth and impact of a potential attack, as compared to the security assessment approach that looks at the broader coverage. It is great for understanding the depth of exposure from a vulnerability but it can result in a narrow focus that potentially misses other vulnerabilities that would have been identified through a security assessment. The level of assurance gained is directly associated with the ability of the tester, the scope of engagement and the time and effort allocated.

For more information on security testing, see our blog here and download our cheat sheet here.

What is a security assessment?

What is a security assessment?

A security assessment builds upon a vulnerability assessment by adding manual verification of the results to confirm the level of exposure. It does not though include the use of exploitation code to gain further access to systems.

What do you get?

A security assessment is looking to gain a broad coverage of the systems under test but does not consider the depth of exposure to which a specific vulnerability could lead. False positives should be excluded through the analysis of the results. Security assessments are great for exposing business logic flaws and identifying security vulnerabilities that automated tools are unable to identify. This leads to a higher level of assurance. However, the time and effort required to complete a security assessment are higher than vulnerability scanning and assessments and require a higher level of technical skill to deliver.

For more information on security testing, see our blog here and download our cheat sheet here.

What is a vulnerability assessment?

What is a vulnerability assessment?

A vulnerability assessment takes a vulnerability scan a step further by using a security tester‘s knowledge to drive an appropriate use of automated tools and test scripts.

What do you get?

The report for the results should be manually created, which places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and overall context of a finding. It is great for increasing the level of assurance gained through automated testing, whilst still helping to keep costs low.

For more information on security testing, see our blog here and download our cheat sheet here.

What is a vulnerability scan?

What is a vulnerability scan?

A vulnerability scan uses automated tools to identify known security issues through matching conditions with known vulnerabilities.

What do you get?

The tool automatically sets the risk level for the results of the scan and no manual verification or interpretation of the results prior to issue takes place. This is great for identifying technical vulnerabilities at a low financial cost. However, it also generates a high level of false positives while missing certain types of issues. This limits the overall level of assurance gained.

For more information on security testing, see our blog here and download our cheat sheet here.