Sometimes when I’m talking with organizations about their testing needs, there is some confusion between what constitutes a vulnerability scan, a penetration test, and a web application assessment.
Vulnerability scans are usually automated, and penetration testing involves both automated scanning and trained ethical hackers. Both can be done internally or externally. Scanning identifies vulnerabilities. Penetration testing involves a human component usually. Think penetration testing involves People! The goal is to think like the bad guy – the hacker.
While vulnerability testing identifies vulnerabilities and can be done at a network layer and to a certain extent, the application layer; penetration testing’s goal is to get to the sensitive data. Both are valuable testing methods, and are usually done together. There are more components that can be added to penetration testing, such as remote or on-site social engineering.
Web application testing is more specific to a particular application and involves:
- Detailed planning to gain an understanding of the function and inherent risks of the application, and identifying the best approach to testing
- Detailed application discovery using authenticated credentials to identify entry points for user interaction as well as application input/output
- Automated and manual testing of configuration management, authentication, session management, authorization, business logic, data validation, and identified web services
- A hybrid methodology of utilizing scanning tools, manual testing of compiled code, and review of components of the precompiled source code may be utilized.
It’s kind of like medicine – first we scan you, then we prod you, and if necessary, we bring in the skilled surgeons. Except it doesn’t hurt a bit! 🙂
Sr. Account Executive