Sorting out audit, vulnerability assessment and pen testing definitions |
 |
EXPERT RESPONSE FROM: Kevin Beaver
|
|
|
| > |
QUESTION POSED ON: 31 August 2004
A lot of people use security audit, vulnerability assessment and penetration test interchangeably. Can you explain the difference so I'll know which terms to use at the right time?
|
|
| > |
Yes, technically there is a difference. An audit is performed (usually by an outside expert) to compare what you say you're doing in your security policies and plans to what you're actually doing. A vulnerability assessment is a test(s) looking at specific weaknesses in your information systems infrastructure. This can be a technical or business process focused assessment or both. A vulnerability assessment is often part of a larger information risk assessment. Finally, a penetration test is an attempt to breach security measures and see if critical information can be obtained. This test can also include less technical tests such as social engineering and physical security exploits. There's usually a well-defined end goal such as obtaining passwords or access to a database or even a building.
For more info on this topic, visit these SearchSecurity.com resources:
Tip: How to obtain a high quality vulnerability assessment
Tip: Penetration testing methodology
Tip: Vulnerability scanning with Nessus
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
