Differences between vulnerability scanning and penetration testing often result from the inappropriate use of the terms. By confusing these two terms companies might miss a significant component of their overall network security profile. Vulnerability scans and vulnerability assessments serve the purpose to highlight the known vulnerabilities of a company’s environment. This action is performed by using tools that search for known vulnerabilities of operating systems, applications, wireless access points, firewalls and so forth. On the other hand, penetration testing is an active attempt to exploit the weaknesses of a company environment. While both are important functions – both have their place in measuring and understanding the risks that businesses face. A vulnerability scan, for example, can today be automated and run in the background. A penetration test requires significant expertise and patience to learn the environment and attempt various break-ins.

Vulnerability scanning is a regularly scheduled type of good business practice and might be an ongoing project or run monthly at smaller sites. Often the vulnerability scanner will be integrated within a larger environment. Penetration testing is much more likely to be done on an annual basis using very skilled analysts who are external to the company to avoid any conflict of interest. Common engineering practice is to perform a vulnerability scan when adding new equipment or software before the deployment is finalized to ensure the configuration is sound.  Most companies perform vulnerability scans at least quarterly after the value of such action is proven. Vulnerability scans typically detect issues such as misconfigurations, the use of excessive or unneeded protocols, open ports that should be closed, outdated certificates and the use of services that expose company information.

One item that the Security Officer in every organization should recommend is to create and maintain a baseline report on key equipment and software.  This document provides a reasonable snapshot at a point in time and can be used to explain vulnerabilities to executives as well as be used as a roadmap for mitigations.  The regular use of a vulnerability scanner can alert the network defenders to any unauthorized changes to the environment where the baseline is known and monitored.
Penetration testing is most often performed by a 3rd party external vendor and is quite different from the vulnerability scans. Penetration tests will work to identify (and exploit) most any weakness that a threat actor could exploit including physical weaknesses, forgotten or legacy databases that store valid user credentials in unencrypted form, unencrypted transmissions, improperly configured hardware and software, and captures of password re-use. These might seem to be technical and quite sophisticated but knowing that your organization has improper security methods and practices may save significant embarrassment or potential fines in the case of regulated industries.  Today, more than ever, a strong security presence is required to avoid the expensive alternatives.