Back to all posts
How to Combine Vulnerability Management & Penetration Testing

As digitization expands, our IT environments keep on growing and are becoming more and more complex. At the same time exposure to different types of vulnerabilities increases. To detect and fix these before they are used by an attacker, regular checks and tests are required. Two methods that serve important functions in a variety of ways to protect your systems are vulnerability management and penetration testing.

Vulnerability Management

Vulnerability management, or vulnerability scans, are automated and continuous scans that identify and classify vulnerabilities in servers, computers, networks, and applications. This is done by matching different systems against known vulnerabilities. The most common vulnerability that is found is outdated systems. In a small IT environment, it may seem quite easy to ensure that all systems are up to date, but in larger environments with hundreds, or maybe thousands of systems, it is a significantly bigger challenge. An advantage of vulnerability management is that it is done entirely objectively and without any personal preferences.

It’s common to say that vulnerability management has two different scan levels:

  • Unauthenticated scans
  • Authenticated scans

In most cases, the implementation of these levels is done in two steps. First unauthorized scans and then authenticated. The reason for this methodology is that from a security point of view, it is of higher priority to solve vulnerabilities that can be exploited only through external access to a system.

Unauthenticated Scans

Unauthenticated scans are scans done from the internet or through locally installed scanners. No login or agent is required for this method. These types of scans are important because they find vulnerabilities that a hacker would use to get into your system.

Scans of this kind should be done as often as possible since hundreds of new vulnerabilities appear every week. A common frequency is weekly scans. However, on-demand scans should also be made when major changes are made in the system and before new systems are deployed.

Authenticated Scans

Authenticated scans are performed by allowing the scanner to access the system as a privileged user. This allows the scanner to get more in-depth information and detect more threats from within, such as weak passwords, malicious software, installed applications, and configuration issues. The method can simulate what damage a system user with specific privileges could cause.

Penetration Testing

A penetration test, or pentest, is performed by one or several persons with extensive knowledge of IT security. This type of person is often called a penetration tester. A penetration tester is usually hired as a consultant to provide a more objective management of the environment. The penetration tester usually uses a variety of tools to find and test systems for vulnerabilities. The penetration tester also has greater adaptability than the vulnerability management performed by a computer. Often, a first step in the penetration test process is vulnerability management scanning.

Penetration tests are usually not performed as often as vulnerability management, but should be done annually, or more frequently. Just as for vulnerability management, when doing changes in your IT environment, such as releasing a sensitivity system, additional penetration testing efforts might be needed.

When hiring a penetration tester, it is important to ask for practical experience, especially experiences from similar environments and the ability to think and act from an attacker's perspective. It is also important that the person is very careful, accurate, and has good communication skills so that you get a full understanding of the results and needed actions.

A common problem with penetration tests is that the follow-up and that required actions are down-prioritized by the organization, as soon as the penetration tester has finished the assignment. This is also why continuous and automated vulnerability management is important. They complement penetration testing and ensure that vulnerabilities are being detected frequently and over time.

Comparison

Area:

Vulnerability management:

Penetration testing:

Method

Performed automatically and continuously.

Performed by an IT security specialist, usually a consultant.

Frequency

Weekly or daily depending on how sensitive the system is. Sometimes lighter scans are done more frequent and in-depth scans are done less frequent, like monthly.

Once or twice a year and in connection to significant changes in your IT environment.

Reports

Provides a comprehensive overview of which vulnerabilities that exists and how the overall development looks since the last report. Reports for both technicians and management.

Provide you with detailed information about what information is being compromised and what security measures you need to take.

Focus

Detects known vulnerabilities that might be exploited.

Detects unknown vulnerabilities.

Target

Detects vulnerabilities and helps you fix these before an attacker does.

Advantage

Provides a lot of insight and overview of IT security with effort and to a low cost.

A penetration tester, in comparison to an automated system, is able to draw conclusions and analyse systems in a methodically manner.