There seems to be a certain amount of confusion within the I.T arena about the differences between Penetration Testing and Vulnerability Assessment, they are often classified as the same thing when in fact they are not. Penetration Testing does sound a lot more exciting, but in our experience we have found that most clients actually require a comprehensive Vulnerability Assessment or V.A. and not a more intrusive Penetration Test.
They are similar projects and do cover many of the same bounds, the main different being a Penetration Test is more aggressive and more intrusive, it actually goes one step further and involves trying to technically break into the systems or servers and prove they are vulnerable.
The problem with this is it can be risky as exploits are making use a flaw in the software running or the operating system so can cause instability, when we are testing the live servers of a client this is the last thing we want to happen.
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.
Most clients actually want a Vulnerability Assessment, even though they may label it a Penetration Test. In the majority of cases the systems we are testing for flaws are live production systems and can't afford to be disrupted by active exploits which might crash the system or cause some kind of unpredictable behaviour or instability.
Vulnerability assessment is a much broader term and can be applied to many things; it's related closely to Risk Assessment (Also involved in Business Continuity Planning and Disaster Recovery Development) and involves the process of identifying and quantifying vulnerabilities in a system. In this case it's technical vulnerabilities within the system known as exploits. These of course put the systems at risk.
NSS generally delivers a comprehensive vulnerability assessment as most clients do not require any actual penetration, we are contracted to assess and document any possible vulnerabilities within the information technology architecture and recommend mitigation measure and improvements to the system. This also generally includes Information Security Policy Development or Review.
We also offer comprehensive Penetration Tests and Application Security reviews to those clients with more specific worries or doubts.