A vulnerability assessment is often undertaken by an automated tool. It is of critical importance that a security testing engagement not only uses vulnerability assessment tools, but also that each result is verified to ensure that false positives are eliminated.
Vulnerability Assessment: Limitations
All too often 7Safe’s penetration testing team gain sight of security testing reports or vulnerability assessment exercises that are simply a copy and paste from a series of automated tools. Sadly for the client, such results are often full of false positives or even false negatives i.e. where a vulnerability assessment has failed to detect a vulnerability.
A Better Type of Vulnerability Assessment
Our penetration testing team strongly believe in results verification in that each finding from a vulnerability assessment tool is checked for correctness. More importantly, in the report the pen test consultant can express a matter of opinion which greatly helps our client in the remediation activities of such testing. Thus the vulnerability assessment becomes a more valuable document to the decision maker as the penetration testing consultant has taken the time to highlight overall areas of concerns and provides advice and consultancy.
PCI Penetration Testing
The PCI DSS (Payment Card Industry Data Security Standard) for some organisations mandates the need for both regular vulnerability assessment (by means of using an Approved Scanning Vendor aka PCI ASV scan) and penetration testing. However, there is a very significant difference between the two approaches;
Vulnerability Assessment – this is essentially a battery of clever, usually automated tests or security testing tool exercises that look for (generally) known lists of vulnerabilities. However, whilst they do reduce risk by providing excellent coverage they are prone to false positives and do not replace the intuition and creativity of a penetration testing consultant; hence the need for a periodic “pen test / penetration test”
Penetration Testing – this term refers to the use of a penetration testing consultant who will undertake testing using experience, strong intuition, guidance from standards such as OWASP (Open Web Application Security Project – please see www.OWASP.org), a mixture of best-of-breed vulnerability assessment, penetration testing and other security testing tools, together with bespoke scripts and other clever in-house written applications. A penetration testing team will also provide very customised guidance in the form of both a technical and business-driven report which makes for a living document against which remediation activities may be driven by the client and PCI QSA consultant during a PCI DSS audit. Please see our PCI testing for further details.