Security Explained: Penetration Testing vs Vulnerability Scanning
4 March 2021
When it comes to keeping your applications and systems safe from threats, there are several avenues of protection available. Vulnerability scanning is an option for a quick and helpful scan for basic flaws in your security. However, we’ve noticed a very common misconception with vulnerability scanning among the healthcare and finance industries.
While it has its uses, a quick and economic scan for vulnerabilities, it cannot replace manual penetration testing. At Cyrex, we’d like to clear up the misconception and put it in context alongside penetration testing.
Vulnerability scans, unlike penetration testing, are an automated process. Often a licence purchased for a program to run and discover any flaws in your security. This is opposed to penetration testing which is a fully manual process of investigation and ethical hacking.
These vulnerability scans have their place in security, they are cheaper than penetration testing and can often be faster due to the nature of automation. However, they cannot replace penetration testing.
An automated scan such as this is simply looking for patterns. Almost like an anti-virus program, it checks for patterns and very basic vulnerabilities. It is, at most, a top-level scan of your application or system for any very noticeably vulnerabilities. There are often deeper and more complex security issues, vulnerabilities that an automated scan could never check for or understand. In this way, we have often found that it would produce multiple false positives which would then need to be verified.
Business Logic Flaws
A business logic flaw is one of the most common flaws found during testing. It’s simply a mistake that can occur when creating a logic-based functionality – a human error. Coders creating entire applications and systems are only human and they will naturally make mistakes.
This is a major issue, of course, but it is an issue that does commonly happen.
An automated system could never interpret a business logic flaw. They are human errors and require a human to see the problem. It couldn’t understand the sequence and procedures in place for the code to be executed in the way that was designed. A tool can’t look at this and see how it could be exploited – because it has to be viewed as something variable. An automated tool cannot see this.
This is where penetration testing comes in, manual human testing and discovery.
Now, at Cyrex, we’re not pretending we don’t use automated tools. We do, of course! We use them mainly in the reconnaissance phase – to discover functionalities and architecture present in the application or system. It’s a tool to understand and learn faster.
But all of our discoveries are validated by a tester. And all of the testing is conducted using our pair hacking method – two security engineers at minimum. To test theories and trials against one another to validate any potential vulnerabilities. Our pair hacking approach is tried and tested and we've taken on some of the biggest companies with it and secured a fair share of bug bounties during our attempts.
The main point, when it comes to security testing, is you can’t replace the ethical hacking mindset. The outside the box thinking, the processes to take advantage of multiple functionalities to create vulnerabilities. An automated tool cannot consider custom frameworks, custom coding languages, custom functionalities. It can only look for basic patterns and problems.
Which one should I choose then?
Like vulnerability scanning, penetration testing is a security tool. Just a different one. They aren’t mutually exclusive; one does not preclude the other. Quite the opposite! A vulnerability scan is an excellent topping or finishing touch to a manual penetration test.
Running a vulnerability scan does not keep you secure but it is a useful tool, and it is an economic choice. Penetration testing is more expensive, naturally as a thorough manual test would be, miles ahead in terms of quality assurance and depth.
Each have their positives and negatives but ultimately, to look at them as exclusive to one another is a misconception. When it comes to industries where client safety is just as important as company security, such as the healthcare and financial industries, it’s important to cover all your bases. With that in mind, penetration testing is no doubt the best option for full, comprehensive coverage.