If you take credit card payments, you may be aware that regular vulnerability scanning and penetration testing are required to be PCI compliant but the differences between the two, as required by PCI DSS, still seems to cause confusion within the industry. The following article aims to directly compare Penetration Testing and Vulnerability scanning so that the requirement to carry out both types of security control can be better understood.
The purpose of Vulnerability scanning is to identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system. It’s about identifying the possibilities for compromise.
The purpose of Penetration Testing is to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. It is a means of verifying the possibilities so that security risks can be prioritised.
Vulnerability scanning should be carried out least quarterly or after significant changes to applications or infrastructure by an Approved Scanning Vendor (ASV)
Penetration Testing should be carried out least annually and upon significant changes to applications or infrastructure. It should be done by a competent, qualified person or organisation which could be an in-house expert or a third party specialist.
How is it Done
Vulnerability Scanning is typically carried out by using automated tools or cloud services. A vulnerability scan may take a relatively short amount of time, typically several seconds to several minutes per scanned host.
Penetration testing is largely a manual process. The initial stage of testing may include the use of vulnerability scanning using a number of commercial and open source tools to get maximum coverage. All identified issues are then manually verified to the extent possible within business constraints to avoid disruption to business activities. The process results in a comprehensive report which refines a list of potential vulnerabilities to a much shorter list of real, prioritised, issues. Penetration testing engagements may last days or weeks depending on the scope of the test and size of the environment to be tested. Testing time can also increase, if additional scope is uncovered during testing.
A Vulnerability Scan Report should detail potential risks posed by known vulnerabilities, ranked in accordance with the NVD/CVSS base scores associated with each vulnerability. Whilst external vulnerability scans must be performed by an ASV, internal vulnerability scans may be performed by qualified personnel and risks ranked in accordance with the organisation’s own risk-ranking process as defined in PCI DSS Requirement 6.1. An external vulnerability scan is conducted from outside the target organisation. An internal vulnerability scan is conducted from inside the target organisation.
A typical Penetration Testing Report would detail a description of each discovered vulnerability and whether it was possible to manually verify it, including specifics on the risks that the vulnerability may pose. It may also expand on exploit methods and to what extent it may be exploited. Examples of vulnerabilities may include but are not limited to SQL injection, privilege escalation, cross-site scripting, or deprecated protocols. A good quality penetration testing report would also include remediation steps for the identified issues.