Vulnerability Assessment and Penetration Testing Comparison

  • Jignesh C Doshi
  • Bhushan Trivedi


Business appliance internet has developed acutely in accomplished decade. Attacks on web appliance accept increased. Web appliance aegis is a big claiming for any organizations as aftereffect of accretion attacks. There exists altered approaches to abate assorted aegis risks are arresting coding, hardening (Firewall), Ecology and auditing. This solutions begin added appear blockage of attacks or of ecology types of. Vulnerability appraisal and Assimilation testing are two approaches broadly acclimated by organizations to appraise web appliance security. Both solutions are altered and adulatory to anniversary other. In this cardboard allegory of these two approaches are provided. Authors begin that assimilation testing is bigger analyze to vulnerability appraisal as it exploits vulnerability, while vulnerability appraisal is above in agreement of advantage over assimilation testing.

General Terms

Vulnerability Measurement, Assimilation Testing


Attack, Vulnerability, Aegis Risk, VAPT,


Web appliance acceptance has added as added and added casework are accessible on web. Business appliance Web applications is additionally accretion day by day. On alternative side, web appliance based attacks accept increased. Web appliance accept become capital ambition of attackers. Major appulse of attacks is abstracts accident or banking accident or acceptability loss.

Various types of countermeasures exists to assure arrangement adjoin attacks like arresting coding, firewall, Intrusion apprehension arrangement etc. [15]. The band-aid exists in two categories: proactive and reactive. To defended web applications, absolute abstraction of vulnerabilities is required. Abstraction will advice in demography able actions. Vulnerability altitude and Assimilation testing are broadly acclimated approaches by organizations for web appliance aegis assessment.

In this paper, authors accept compared vulnerability appraisal and assimilation testing.

The blow of the cardboard is organized as follows. Vulnerability appraisal is discussed in area 2, Assimilation testing is discussed in Area 3. Area 4 describes allegory amid vulnerability appraisal and assimilation testing. Conclusion is declared in area 5.

2. Current Web Appliance Aegis Trends

The cardinal of internet users and websites are accretion rapidly in contempo years [9]. Approximately 66% of web applications accept botheration as per Gartner. According to adult vulnerability appraisal accoutrement 60% vulnerabilities can be begin in best of web applications [12].

Security measures best frequently activated for web appliance aegis are firewalls, Intrusion Apprehension Arrangement (IDS), Anti-virus Arrangement and arresting coding [14][15]. This band-aid either requires developer abilities or efforts in accepted [15]. These solutions accommodate a way to appraise system, while organizations charge a way to appraise aegis antitoxin assessment. It is additionally all-important to appraise web appliance periodically adjoin aegis risks in adjustment to booty able actions.

3. Vulnerability Assessment

Vulnerability is a weakness or blemish in a system. Reasons for vulnerability actuality are anemic password, coding, ascribe validation, misconfiguration etc. Attacker tries to ascertain vulnerability and again accomplishment it.

Vulnerability appraisal is a proactive and analytical action to ascertain vulnerability. It is acclimated to ascertain alien problems in the system. It is additionally appropriate by industry accepted like DSS PCI from acquiescence point of view.

Vulnerability appraisal is accomplished appliance scanners. It is a amalgam solution, which combines automatic testing with able analysis.

Figure 1: Vulnerability Appraisal Process

Vulnerability appraisal is a one footfall action ( Accredit to amount 1). We will apprentice added capacity about vulnerability appraisal in area 5.

4. Assimilation Testing

A assimilation testing evaluates the aegis of a computer arrangement or arrangement by assuming an attack. It is a proactive and analytical admission for aegis assessment.

Figure 1: Assimilation Testing Process

Penetration testing is a two accomplish action (refer to amount 2). We will apprentice added capacity about assimilation in abutting section.

5. Comparison

5.1 Generic




Penetration Testing


Discover vulnerabilities

Discover and accomplishment vulnerabilities

Alerts above-mentioned flaws begin in code

Shows how damaging flaws affectation a blackmail to application

Do not differentiate amid flaws that can account accident or not

Gives detail account of flaws begin in appliance with accident associated with it


Discovery & Scanning



One footfall :

Find vulnerability

Two footfall process: Find and accomplishment vulnerability


Breadth over depth

Depth over breadth


Hybrid solution

One band-aid for assorted vulnerabilities testing

Coverage of completeness



Defend ability




Detective control, acclimated to ascertain back accessories is compromised.

Preventative ascendancy acclimated to abate exposures


Low to moderate


Performed by

In abode staff

Attacker, Pen tester


5.2 Resource Requirements


Vulnerability Measurement

Penetration Testing

Internal Resource Requirement



External Resource Requirement



Tester Knowledge




5.3 Testing


Vulnerability Measurement

Penetration Testing

Testing of alternative aegis Investments

Not possible

Determine whether alternative aegis investments are activity appropriately or not

Security Accident Assessment

Not possible

Provide aegis accident appraisal as mimics attacks aloof like attacker


Does not simulate attacks

Simulates absolute apple attacks

How generally to run

Continuously, abnormally afterwards new accessories is loaded


5.4 Results


Vulnerability Assessment

Penetration Testing


Comprehensive baseline of what vulnerabilities abide and changes from the aftermost report

Short and to the point, identifies what abstracts was absolutely compromised


Lists accepted software vulnerabilities that may be exploited

Discovers alien and accommodating exposures to accustomed business processes


Provides fractional appraisal of vulnerabilities

Provides complete appraisal of vulnerabilities


5.5 Limitations

Major limitations of Vulnerability Assessments are:

ï‚· Cannot analyze abeyant admission path

ï‚· Provides apocryphal positive

ï‚· Requires aerial abstruse abilities for tester

ï‚· Amalgam solution

ï‚· Cannot accomplishment flaws

Major limitations of Assimilation testing are:

ï‚· Identifies abeyant admission paths

ï‚· Identifies alone those which poses threats

ï‚· May not analyze accessible vulnerability

ï‚· Cannot accommodate advice about new vulnerabilities

ï‚· Cannot analyze server ancillary vulnerabilities

6. Conclusion

With the barring of coverage, assimilation testing is above to vulnerability management.

Key allowances of assimilation testing over vulnerability appraisal are:

  • Technical adequacy appropriate in assimilation testing is low analyze to vulnerability assessment
  • Can be acclimated runtime
  • With assimilation testing we can detect, affirm and accomplishment vulnerability.
  • With assimilation testing can actuate the consistent appulse on the organisation.

For able security, it is important to accept vulnerability in details.

Both are adulatory strategies to anniversary alternative and proactive. We advance to use both together.


  1. Vulnerability Appraisal and Assimilation Testing: security/vulnerability-assessment-and-penetration-testing
  2. John Barchie, Triware Net apple Systems, Assimilation Testing vs. Vulnerability Scanning:
  3. Penetration Testing Limits http://
  4. Vulnerability Analysis, Vulnerability Analysis
  5. Open Web Appliance Aegis Project, Vulnerability
  6. Penetration Testing: http://searchsoftwarequality
  7. Vulnerability Appraisal and Assimilation Testing:
  8. Ankita Gupta, Kavita, Kirandeep Kaur: Vulnerability Appraisal and Assimilation Testing,
  9. International Journal of Engineering Trends and Technology- Volume4 Issue3- 2013, ISSN: 2231-5381 Page 328-330
  10. Konstantinos Xynos, Iain Sutherland, Huw Read, Emlyn Everitt and Andrew J.C. Blyth: PENETRATION TESTING AND VULNERABILITY ASSESSMENTS: A PROFESSIONAL APPROACH, Originally appear in the Proceedings of the 1st International Cyber Resilience Conference, Edith Cowan University, Perth Western Australia, 23rd August 2010 accessible at :
  11. You Yu, Yuanyuan Yang, Jian Gu, and Liang Shen, Assay and Suggestions for the Aegis of Web Applications,, International Conference on Computer Science and Arrangement Technology, 2011, 978-1-4577-1587-7/111, IEEE
  12. Andrey Petukhov, Dmitry Kozlov, Detecting Aegis Vulnerabilities in Web Applications Appliance Dynamic Assay with Assimilation Testing, accessed on 31st January 2015
  13. Parvin Ami, Ashikali Hasan: Seven Phrase Assimilation Testing Model,International Journal of Computer Applications (0975 – 8887),Volume 59– No.5, December 2012
  14. Aileen G. Bacudio, Xiaohong Yuan, Bei-Tseng Bill Chu, Monique Jones,an overview of assimilation testing, International Journal of Arrangement Aegis & Its Applications (IJNSA), Vol.3, No.6, November 2011 DOI :10.5121/ijnsa.2011.3602
  15. Jignesh Doshi, Bhushan Trivedi, Appraisal of SQL Injection Band-aid Approaches, International Journal of Advanced Research in Computer Science and Software Engineering, Volume 4, Issue 10, October 2014 ISSN: 2277 128X


Order a unique copy of this paper

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
Top Academic Writers Ready to Help
with Your Research Proposal
Live Chat+1(978) 822-0999EmailWhatsApp

Order your essay today and save 20% with the discount code COURSEGUY