Is penetration testing more effective than vulnerabiltiy scanning? No

If your organization requires proof of each network vulnerability with a penetration test, then you are focusing on the wrong problem. With new vulnerabilities being disclosed daily, it should be assumed that all applications are exploitable. Modern networks should be focused on minimizing their attack surface, and vulnerability scanning is the best choice for this task.

The opposing viewpoint

Comparing penetration-testing tools with vulnerability-scanning tools is like comparing the effectiveness of regular trips to the dentist and X-rays of bicuspids. Modern vulnerability-scanning tools test for thousands of known client and server vulnerabilities across hundreds of architectures. They do this with network scanning, host-based patch audits and network sniffing. Penetration-testing tools typically focus on testing hundreds of exploits to server vulnerabilities for a handful of architectures and operating systems.

These techniques have different levels of ease of use, false negative rates, false positive rates and effect on the network. However, for effective vulnerability management, relying solely on penetration testing is a bad idea. Vulnerability scanning is better suited to the task, for several reasons.

First, vulnerability scanning can be automated and made part of a network management system. Discovery of new hosts, applications and vulnerabilities can be fed into trouble-ticket systems to be addressed, whereas penetration testing is best performed manually by an experienced team.

Second, vulnerability scanning tests a larger number of vulnerabilities on more platforms than typical penetration-testing tools. Vulnerability scanning also takes into account security issues in printers, routers, wireless access points, firewalls and many other common network devices, whereas most penetration-testing tools do not.

Third, vulnerability scanning with continuous network monitoring or host-based patch auditing will easily identify vulnerabilities in client applications across a network. Some penetration-testing tools will test client applications, but these are normally used for local privilege escalation.

Finally, vulnerability scanning provides more fidelity of information. Our Nessus vulnerability scanner has close to 10,000 scripts, which detect missing security patches, installed software, listening services and vulnerabilities. Nessus performs exploit tests similar to those of penetration-testing tools but stops short of exercising the exploit. Potential vulnerabilities are reported with a low, medium or high rating. This gives security teams more data to make informed decisions.

Do not take these arguments as reasons not to use penetration-testing tools. Every network-security practitioner should understand them and know how to use them, especially for auditing core servers. Penetration-testing tools can demonstrate a portion of the vulnerabilities requiring addressing, but an effective vulnerability-management strategy must make use of many vulnerability-scanning technologies.

Gula is CEO of Tenable Network Security. He can be reached at rgula@tenable_security.com.