Many organizations conduct vulnerability assessments, while fewer conduct regular third-party penetration tests. Both are critical components of a Vulnerability and Threat Management program.
Vulnerability assessments identify security vulnerabilities in an environment, such as applications, networks, etc. Testing should produce a prioritized list of vulnerabilities, and how to remediate them. The goal is to identify the issues and to help the company direct their resources to the vulnerabilities that introduce the greatest risk to the enterprise.
While there are many different definitions of a penetration test, I tend to lean towards a test that aims to breach the information security of your organization. This test often actually exploits weaknesses in your systems, proving or disproving real-world attack vectors against your company’s assets, physical security, data or people. Penetration tests can have narrow or wide scopes and can include not only logical tests, but also physical security and social engineering attacks and tests.
White Box vs. Black Box
White box penetration tests start with provided information such as vulnerability assessments and credentials, as well as permission of the company to perform the test. Black box testing is performed with limited information of the target systems. Black box testing relies on the skill of the person performing the test to find their own way into the enterprise. This is one reason the skill and reputation of your penetration testing company is critical. Black box testing generally provides a more realistic result, as this is the route a Black Hat hacker and other bad actors would take into your enterprise.
There are many commercial and Open Source vulnerability scanners on the market that look for a variety of vulnerabilities such as those found in the OSWASP Top 10, including SQL injection, cross-site scripting, cross-site request forgery, and insecure direct object references. Each tool has its own strengths and weaknesses and it is often necessary to utilize more than one tool to get the right scope of tests for your organization.
I generally advise companies to use vulnerability scanners to find their issues, and to re-test after repairing. Once an organization believes they have resolved the majority of their security vulnerabilities, using a third-party penetration test can help you validate. It is also becoming more common for healthcare companies to require their 3rd party vendors and Business Associates to perform a third-party penetration test by a reputable vendor to determine the real world effectiveness of your security controls.