Pentest vs Vulnerability Management

Finding vulnerabilities is the job of a security expert when he starts a pentest. An average penetration test costs around 5,000 euros, so it will not surprise you that most organizations choose to have a pentest carried out only once a year. At the end of a pentest you will receive a report containing the findings and recommendations, often with enough points for improvement for the rest of the year.

The disadvantage of a pen test is that it is a snapshot: the report gives a clear picture of what the situation is today, but the organization is blind for the rest of the year. What if a new vulnerability is released the day after delivery of the report?

The answer is vulnerability management

How can we improve this? Being blind for 11 out of 12 months is at least suboptimal. The answer is vulnerability management. Vulnerability management solutions such as NetCaptain, as well as scanning products such as Nessus or OpenVAS are able to identify more than 100,000 unique vulnerabilities. You can think of it as a “hacker in a box”. The big difference is that these services give you a real-time overview of the current situation. If a new vulnerability is released, you are immediately informed and you do not have to wait a year. And let’s be honest: the first thing an expensive security expert does is use the same tooling.

If you want to test your whole infrastructure for security flaws, make sure you have done your homework.

That does not mean that security experts have become redundant, on the contrary. People are able to understand and respond to the context of an application. Suppose you can change a number in an application, then it is important to see the difference between a house number and a bank account balance. The latter would be a huge problem if a customer could just adjust his balance! A security expert is able to find these kinds of vulnerabilities, but a computer cannot tell the difference.

You see, a pen test is an important addition to your application. However, it is advisable to have your house in order beforehand by remedying the low hanging fruit. If you don’t, you risk that the pen tester will spend most of his time scanning, leaving little time for what a human is really good at: finding creative ways that no machine can discover.

Would you like to know which steps you can best take? Please do not hesitate to contact us. CyberAnt can help you with vulnerability management as well as with a pentest.

The Owasp Top 10Ransomware: Anti-virus alone is not enough