As the name suggests, we're going to put Continuous Vulnerability Assessment and Penetration Testing side-by-side and discuss the pros and cons of each approach.
Firstly, let's clear up what is meant by each.
Continuous Vulnerability Assessment
Continuous Vulnerability Assessment (CVA) is all about using an automated platform to identify vulnerabilities in your corporate IT infrastructure.
Unfortunately, as with most technologies, this is delivered in a dramatically different fashion by a number of different vendors who all have differing approaches to the challenge. The key things that a CVA platform should provide are:
- Regular, automated scanning of infrastructure
- Clear risk prioritisation
- Patch management / remediation assistance or automation
- Live dashboards / maps of risk with integrated threat feeds
Furthermore, it is our opinion that a good CVA platform should also provide:
- Insight into configuration of common platforms highlighting weaknesses / issues
- Policy compliance and reporting (CIS, NIST, PCI etc)
- Cloud and virtual infrastructure assessment
- Remediation prioritisation with goals & SLAs (Cyber Essentials etc)
- Ability to automate remediation / patching
- Integration with service desk platforms
- Ability to perform invasive & disruptive attacks
In essence, vulnerability assessment should drive your vulnerability and risk management process on a day to day basis.
For us, Penetration Testing should be about all the things automation can't do. Unfortunately, from our experience, we find that isn't the case. In fact, most 'pen testing' is actually just a human running a CVA platform and 'top and tailing' the output to suit the 'test'.
Don't get me wrong though, that isn't what 'pen testing' is about, it's just become an easy way to sell services and deliver them at high margin. From my perspective, a pen test can include everything that's in the CVA section - more importantly though, it's about doing everything else - for example:
- Red teaming (attack simulation)
- Social engineering
- Dumpster diving
- War-driving organisation offices / war-dialling / wireless penetration
- Gaining physical access to premises and delivering 'pizza of doom' style attacks
These are the things that can-(I know, never say never)-not easily be automated. Beyond this, great pen testers will also offer:
- Blue & purple teaming
- Code review
- Architecture reviews and response planning
Comparison side by side
Here's a handy table for you to use when deciding what you need:
|On-going risk and vulnerability management||🙈||👍|
|Improved remediation & patching||🙈||👍|
|Continuous visibility for certifications (like Cyber Essentials)||🙈||👍|
|Automated asset management / alerting||🙈||👍|
|Gamification of SLAs with integration into service desk||🙈||👍|
|Visibility into changes in your infrastructure||🙈||👍|
|Understanding the human factors in your security||👍||🙈|
|Testing your physical security||👍||🙈|
|Ensuring IoT, wireless, phone systems are secure||👍||🙈|
|Testing your disposal/destruction process||👍||🙈|
|Testing your incident response capability||👍||🙈|
|Understanding your external data footprint||👍||🙈|
What's clear to see from this comparison is that there are good uses for both approaches - just don't pay pen testers to do a job that can easily be automated.
Likewise, it's clear that CVA helps eliminate A LOT of risk, but there are still elements that can't be controlled through automations.