In this post, I would like to share the difference between Vulnerabilities Assessment vs Penetration Testing during real-life security testing. However, some organizations might want to do Vulnerabilities Assessment and Penetration Testing depending on the project scope and budget.
There might be a possibility that organizations misunderstood and misguide about Vulnerabilities Assessment and Penetration Testing.
Vulnerabilities Assessment is a procedure that well suited to the situations where they will normally scan using Wireshark, Nessus, Nmap, and Nikto Tools. A Security Consultant will use the Vulnerabilities Assessment as an ideal methodology for those organizations that have Medium to Critical Severity Level within the system that considered important to an organization and other people such as Financial System.
An organization is advised to maintain its system protection by doing continuous vulnerabilities assessment about once a month or once a year. Vulnerabilities Assessment approach will provide the organization with a list of known and vulnerability that need to be resolve to avoid the attacker to take advantage of it.
Aside from Vulnerabilities Assessment activity, Penetration Testing activity can also be used to verify the vulnerability and exploit the vulnerabilities. The activity also can be provide valid evidence to the organization so that they can accept the vulnerability and resolve it.
The available tools that can be used for this activity such as Burpsuite Pro, Netsparker, and Social-Engineer Toolkit (SET).
Point of View in the activity
Firstly, let’s look into the Vulnerabilities Assessment objective where new vulnerabilities that been released on the internet can be tested on the system or application. The purpose is to ensure the new vulnerabilities not exist within the application .
From point of view in Penetration Testing, the tester will have to follow the compliance regulations such as PCI DSS where they need conducted within a certain periods. PCI DSS regulation will depend on what data that the organization can be process which might the result will be abide by different compliance regulations available out there.