In the field of information security there are a lot of professionals at work, the business is booming and organizations want to be safe right?....
therefore a lot of organizations are contracting ethical hackers or security clubs to test their environment. What I see in the field is that there is some mix up between terminology and techniques, often caused by the security professionals themselves.

For instance the Penetration test vs a vulnerability scan. These two are often mixed up by people causing the wrong expectations and therefor organizations paying (sometimes) to much for sham security. And I think that's a bad development because people have to be informed honestly.

Well some background info:

Vulnerabilty scanning

A vulnerability scan is , like it says, a scan for (known) vulnerabilities. Often there are some tools used which check on already exploited breaches, missing patches and other (already known) issues.

A report which comes out of a vulnerabilty scan just is a print of the state of the machine, device, or environment compared to some best practices and security checks. It is a quick scan for the use of known software whithout further in depth research or next steps. You can see a vulnerability scan as step one to a Pentest.

Pentesting

A pentetration test is to get insight information on the risks and vulnerabilities of a system of environment. Based on the vulnerabilities he/she is trying to get real use-able information out of systems to litteraly exploit the vulnerability. That way he can show the organization that there is a real risk. After that he/she will give advise on how to mitigate does risks mostly in a report with all the fact and figures..

Often Pentesters use a Kali-Linux distribution which is already equipped with a lot of 'hacking' tools which the pentester can use to test the environment. See it as a Operating System with all the right tools onboard, isn't that cool.

Conclusion

Don't mix up (or be advised) that Pentesting and Vulnerabilityscanning are the same procedures. The are certain complimentary to eachother but they are different. The fact if a company wil perform a vulnerability assement/scan of a pentest is about the questioning if they:

Have the funding (a pentest is way more expensive)
and if their riskprofile demand it, in other words is the information risk that big that they do need in depth information about the state over their environment, then do a pentest.

Stay safe !!!

Peter

I am with QURATOR, are You?

I am using Esteem

I fully support @s3rg3 and @exyle, who are witness with their developer group @blockbrothers for the Steem blockchain. If you want to support them, they would appreciate your vote here.

They are the creators of Steemify, THE notification app for your Steemit account for IOS.

Penetration test vs. Vulnerability scan

Vulnerabilty scanning

Pentesting

Conclusion

I am using Esteem I fully support @s3rg3 and @exyle, who are witness with their developer group @blockbrothers for the Steem blockchain. If you want to support them, they would appreciate your vote here. They are the creators of Steemify, THE notification app for your Steemit account for IOS.

I am using Esteem

I fully support @s3rg3 and @exyle, who are witness with their developer group @blockbrothers for the Steem blockchain. If you want to support them, they would appreciate your vote here.

They are the creators of Steemify, THE notification app for your Steemit account for IOS.