Vulnerability Assessment versus Penetration Testing
Vulnerability Assessment, commonly called as ‘VA’, is a type of technical assessment where in security vulnerabilities are identified in a system. After identifying the vulnerabilities, they are then rated based on their severity and remediation priority information. It is used when you need a prioritized list of everything that’s wrong, where the goal is to fix as many things as possible as efficiently as possible.
Penetration Testing, also known as ‘PT’, are technical assessments where an attack by a malicious party is simulated. The main goal of doing this is to check if an attacker can gain access to confidential information (steal customer data), affect data integrity (modify payment information) or availability of a service (bring down the server) and the respective impact on the system.
The difference: Vulnerability assessments look for security problems when we know/assume they exist and penetration testing helps in validating a configuration when you believe it to be secure. In simple words, vulnerability assessments only identify the vulnerabilities whereas penetration testing exploits those vulnerabilities to gain further access to the system.
Hence it is sensible to not waste money on a penetration test unless you’ve already undergone many vulnerability assessments and patched the security misconfigurations found.