What is the difference between scanning and penetration testing?
Those of us responsible for managing Vulnerability scanning and penetration testing often seem to get the same question over and over… What is the difference between a vulnerability scan and a penetration test?
You would think that this is not a difficult topic to grasp, but some folks really do struggle to remember the difference. I’ll lay it out here in the most simple way I know how..
- Scan = Look for holes and issues on a network or website. Usually with some type of scanning tool.
- Penetration Test = Exploit and Hack holes that you have found on a network. And see how far you can get.
Some good scanning tools are..
McAfee Vulnerability Manager (used to be called Foundstone)
Many companies offer penetration testing services. I’ve only had experience with a few, so my only advice is to make sure your contracts are well written and that you are careful when working with a small company.
I’d like to write more, but I’m tired from getting up at 3:30 last night to make sure a 2 year old security patch was applied to critical server. More from the trenches later..
