Two of the terms that frequently get misused (and often are interchanged) are vulnerability scanning and penetration testing. These two items are different and meet different parts of the PCI requirement. In fact, these terms get confused so often that the PCI SSC even published information on the differences between them.
In this article we break down the differences between vulnerability scanning and penetration testing.
The PCI SSC published an information supplement on penetration testing in 2017. In it, they summarised the key differences between vulnerability scans and penetration tests which is summarised below.
|Vulnerability Scan||Penetration Test|
|Purpose||Identify, rank, and report vulnerabilities which could be exploited.||Identify ways to exploit vulnerabilities to circumvent or defeat security features.|
|When||At least quarterly.|
After significant changes.
|At least annually.|
Upon significant changes.
|How||Primarily automated tools.||Primarily manual tools which may include using automated vulnerability scans.|
|Reports||Potential risks rated as per NVD / CVSS base scores with information provided on what configuration indicated the vulnerability may be present.||Description of each verified vulnerability. |
Details additional specific risks and methods for exploitation.
|Duration||Short, seconds to minutes per host scanned.||Days or weeks depending on the scope of testing and size of the environment.|
Vulnerability scans are required to be performed at least quarterly. External vulnerabilities scans must be performed using an ASV. Internal vulnerability scans do not have to be performed by an ASV, but many ASVs offer these services.
Vulnerability scans need to be carried out at least quarterly to meet PCI requirements, but we recommend monthly so that you have time to fix any findings and still get a passing scan during the quarter.
Vulnerability scans are a primarily automated process. Although someone is required to schedule, configure, and run the scans the work behind the scenes is done by your vulnerability scanning vendor.
Penetration testing is a primarily manual process. Vulnerability scanning may be used as an initial step in the penetration testing process, but penetration generally depends on a person taking information about vulnerabilities and trying to exploit them to see how they can bypass security controls. The testing may chain together different types of attacks and different vulnerabilities to reach their goal over time.
While vulnerability scanning primarily focuses on whether a vulnerability might exist, penetration testing goes one step further and tests to see if and how that vulnerability can be exploited.
Need Help with Vulnerability Scanning?
If you need help with your vulnerability scanning, Confide has experts who are qualified and certified in using vulnerability scanning tools. Read more about our Managed Vulnerability Scanning Service or contact us to find out more.