As a security practitioner and auditor, questions regarding the differences between vulnerability assessments and penetration testing come up often. Even though seasoned security professionals may already know the answer to a question like this, there are a number of non-security professionals who may need help understanding the differences, the benefits, and the costs. While larger corporations with more mature security postures and larger budgets may be able to easily incorporate these activities into their portfolio of annual security activities (such as security awareness training), smaller entities or startups may need to hear or see a strong argument in order to justify the associated costs.
What is the Difference Between a Vulnerability Assessment & Penetration Testing?
A vulnerability assessment is an automated activity that is carried out using a third-party tool or solution that results in the identification of vulnerabilities within a given technology environment. NIST defines a vulnerability as a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
A penetration test is performed by an individual or group of individuals using a variety of automated tools and techniques to exploit vulnerabilities and configuration errors in a given technology environment. NIST defines penetration testing as a method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environmental resources. In simpler terms, a penetration test represents a self-inflicted cyber-attack or hack with the intent of finding the holes before a bad actor is able to find and exploit them.
Clearly, each of these security activities differs in both objectives as well as how they are carried out or performed.
What is a Vulnerability & Why Do They Matter?
Vulnerabilities exist in any technology environment. Companies and people are imperfect and so are the software, firmware, and computer systems they create. Over time, software vendors, security researchers, or threat actors inevitably find flaws or vulnerabilities in their software and systems. Once a vulnerability is publicly disclosed, it is assigned a CVE (Common Vulnerabilities and Exposures) number.
A list of CVE’s is maintained by MITRE and can also be found in NIST’s National Vulnerability Database. NIST’s National Vulnerability Database identified 19,249 CVE’s in 2020 and has currently identified 9,622 in 2021. Why does this data matter? It sends a clear message that vulnerabilities are discovered consistently, frequently, and often. Regardless of the technology services, architecture, or systems that are utilized by a company, if technology is used, it’s susceptible to vulnerabilities.
Fortunately, once a vulnerability is identified, the respective vendor will release a patch, fix, or update, that should remediate the identified vulnerability. Depending on the severity of the identified vulnerability, the fix or patch should be applied as soon as possible. I have personally seen a publicly disclosed vulnerability exploited by a malicious actor in less than 24 hours.
Why Might You Do a Vulnerability Assessment Instead of a Penetration Test?
Even if patching an identified vulnerability in one day may seem perfectly acceptable, in the case I mention, it wasn’t. Hence, time is of the essence when it comes to vulnerability management. The sooner a company is able to identify the vulnerabilities within their environment, the more effective they are in reducing their attack surface. A vulnerability scanning solution is a critical and necessary component in an effective vulnerability management strategy.
For the purpose of this article, let’s assume all companies use technology in some form or fashion which means they are susceptible to vulnerabilities. The number of vulnerabilities will differ based on the size of the company and respective technology ecosystem, but when technology is used, vulnerabilities are bound to exist. Although all companies may use technology to support their business, the types of services they offer can differ significantly.
An online eCommerce company maintains an external-facing website that processes millions of transactions a day. A smaller company that maintains an external-facing website for advertising purposes only, processes no online transactions, and could easily get by if their website went down, maintains a much smaller risk profile and external attack surface. The benefits of a penetration test may not be as helpful to the smaller company versus the larger eCommerce company. While every company should be cognizant of the inherent vulnerabilities that exist within their environment, the value of a penetration test will vary.
Does SOC 2 Require Vulnerability Scanning?
The simple answer is no, the SOC 2 security or common criteria, does not require vulnerability scanning. However, vulnerability scanning is noted as a point of focus for activities that support the achievement of the Trust Services Criteria CC7.1:
- “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.”
CC7.1’s applicable point of focus:
- “Conducts Vulnerability Scans—The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.”
Although vulnerability scanning isn’t noted as a requirement, but rather an activity that supports the achievement of CC7.1, companies should strongly consider incorporating vulnerability scanning into their security practices. As noted above, vulnerabilities will continue to challenge any organization that uses computer systems to either support their business or their client-provided services. Some reports indicate that nearly 60% of data breaches in the past few years can be traced back to missing patches or updates.
Even though vulnerability scanning isn’t a SOC 2 requirement, it may be tough for a user organization to accept a clean SOC 2 report without the inclusion or reference of vulnerability scanning activity performed by the service organization. It’s a critical continuous activity that shouldn’t be neglected.
Does SOC 2 Require Penetration Testing?
Again, the simple answer is no. Is it a good idea? Absolutely. As noted above, each company needs to understand its risk profile and determine what makes sense. Any company that offers its services through an interactive public-facing website should strongly consider incorporating penetration testing into its security practices. The frequency and scope should be determined based on a thorough risk assessment. Once again, although penetration testing isn’t a SOC 2 requirement, it does support the achievement of CC4.1:
- “COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”
CC4.1’s applicable point of focus:
- “Considers Different Types of Ongoing and Separate Evaluations—Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.”
Although continuous vulnerability assessments and penetration testing offer different benefits, incorporating both activities into a security strategy can help a company reduce its attack surface and assess the effectiveness of its vulnerability and configuration management practices. Recent cyberattacks on Colonial Pipeline and JBS continue to remind us that cybercrime is alive and well and while it directly affects the victim company, it also has the potential to negatively affect millions more.
If you have questions about the benefits of continuous vulnerability scanning or penetration testing, and how they support the SOC 2 Trust Services Criteria, please contact our team of auditors at Linford & Co.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.