Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

The Truth About Penetration Testing Vs. Vulnerability Assessments

Organizations Must Put Security Vulnerabilities Into the Context of Their Exploitability

Organizations Must Put Security Vulnerabilities Into the Context of Their Exploitability

Vulnerability assessments are often confused with penetration tests. In fact, the two terms are often used interchangeably, but they are worlds apart. To strengthen an organization’s cyber risk posture, it is essential to not only test for vulnerabilities, but also assess whether vulnerabilities are actually exploitable and what risks they represent. To increase an organization’s resilience against cyber-attacks, it is essential to understand the inter-relationships between vulnerability assessment, penetration test, and a cyber risk analysis.

Vulnerability assessments have become one of the dominant security practices in today’s dynamic threat landscape. Leveraging vulnerability scanners, be it for network, applications, or databases, has become standard for many large end user organizations. Even smaller enterprises are leveraging managed security services to scan their environments. The objective of vulnerability assessments is to identify and quantify security vulnerabilities in an environment. Off-the-shelf software scanners are designed to evaluate an organizations’ security posture, identify known security gaps, and recommend appropriate mitigation actions to either eliminate or at least reduce weaknesses to an acceptable level of risk.

The vulnerability assessment process typically indexes all of an organization’s assets, classifies them based on business value and potential impact, and then identifies known vulnerabilities associated with each of them. The final step involves mitigating the most critical vulnerabilities that affect assets with the highest potential business impact. The more issues identified the better.

However, focusing on existing vulnerabilities, provided by vulnerability scanners, is only the first step in a “true” vulnerability management process. Without putting vulnerabilities into the context of their exploitability, organizations often misalign their remediation resources. To better prioritize remediation actions, it’s best to determine whether the specific vulnerability is actually exploitable or not. Skipping this step is not only a waste of money, but more importantly creates a longer window of opportunity for hackers to exploit high risk vulnerabilities. Ultimately, the goal is to shorten the window attackers have to exploit a software flaw.

It’s important to remember that vulnerability scanners base their findings on a list of known vulnerabilities, meaning they’re already known to security professionals, cyber-attackers, and the vendor community. Unfortunately, there are many vulnerabilities that are unknown and therefore are not detected by scanners.

In addition to contextualizing the organization’s internal security intelligence with external threat data, more and more organizations are conducting penetration tests to determine the exploitability of vulnerabilities. A penetration test is conducted by ethical hackers in an attempt to simulate the actions of a malicious external and / or internal cyber-attacker. The objective is to expose security gaps and subsequently investigate the risks they pose and determine what type of information could be extracted if the weakness were exploited. Penetration test results are typically reported on severity, exploitability, and associated remediation actions. Ethical hackers often use automated tools such as Metasploit, and some even write their own exploits.

In order to put the pieces of this puzzle together, organizations need to conduct a comprehensive risk analysis that takes into account all the contributing factors including asset criticality, vulnerabilities, external threats, reachability, exploitability, and business impact.

Ultimately, vulnerability assessment, penetration testing, and cyber risk analysis must work hand-in-hand to reduce cyber security risk.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.