09 February 2021 | Scott Nursten
We put Continuous Vulnerability Assessment and Penetration Testing side-by-side and discuss the pros and cons of each approach.
Firstly, let's clear up what is meant by each, then we'll see where they belong in your cyber resilience strategy.
Continuous Vulnerability Assessment (CVA) is all about using an automated platform to identify vulnerabilities in your corporate IT infrastructure.
Unfortunately, as with most technologies, this is delivered in a dramatically different fashion by a number of different vendors who all have differing approaches to the challenge. The key things that a CVA platform should provide are:
In addition, it's our belief that a good CVA platform should also provide:
In essence, vulnerability assessment should drive your vulnerability and risk management process on a day to day basis.
For us, Penetration Testing should be about all the things automation can't do. Unfortunately, from our experience, we find that isn't the case. In fact, most 'pen testing' is actually just a human running a CVA platform and 'top and tailing' the output to suit the 'test'.
Don't get me wrong though, that isn't what 'pen testing' is about, it's just become an easy way to sell services and deliver them at high margin. From my perspective, a pen test can include everything that's in the CVA section - more importantly though, it's about doing everything else - for example:
These are the things that can - (I know, never say never) - not easily be automated. Beyond this, great pen testers will also offer:
Here's a handy table for you to use when deciding what you need:
|On-going risk and vulnerability management||🙈||👍|
|Improved remediation & patching||🙈||👍|
|Continuous visibility for certifications (like Cyber Essentials)||🙈||👍|
|Automated asset management / alerting||🙈||👍|
|Gamification of SLAs with integration into service desk||🙈||👍|
|Visibility into changes in your infrastructure||🙈||👍|
|Understanding the human factors in your security||👍||🙈|
|Testing your physical security||👍||🙈|
|Ensuring IoT, wireless, phone systems are secure||👍||🙈|
|Testing your disposal/destruction process||👍||🙈|
|Testing your incident response capability||👍||🙈|
|Understanding your external data footprint||👍||🙈|
What's clear to see from this comparison is that there are good uses for both approaches - just don't pay pen testers to do a job that can easily be automated.
Likewise, it's clear that CVA helps eliminate A LOT of risk, but there are still elements that can't be controlled through automations.