Asking the Right Question: Penetration Testing vs. Vulnerability Analysis Tools

Not open for further replies.


Lately, many people have been asking what is more important: using vulnerability analysis tools to assess web-based applications or instead focusing on penetrating testing. The fact is that both are important and that a combination approach can prove to be more valuable. Learn more about how the web application security industry has evolved and what needs to be done to ensure the security of applications.

Over the past several years I have heard people asking the question "should I use vulnerability analysis tools to assess my web based applications or should I look to penetration testing?" I think we, as an industry, may be asking the wrong question. First, let's look at how the web application industry has grown over the years and how penetration testing has scaled to meet that challenge.


Before the year 2000, some companies had a web site for marketing purposes and a few companies were starting to do a little business on the web. There were of course a lot of DotComs around selling things on the web, but real "brick and mortar" businesses were just using the web as a marketing tool. The brick and mortar businesses who understood security started asking their experts in penetration testing to check out these web applications. Using some simple vulnerability analysis tools, those penetration testing experts did a good job checking for simple web application security issues. There were a few people running around that really knew how to test a web application, but not many. At this time, there were a few open source vulnerability analysis tools in existence, but the market was in its infancy.

Early 2000s

After the DotCom bust, companies actually started to use the web and web-based applications for both internal and external applications. Most applications still existed on non-web-based platforms, but developers started moving their legacy applications into web-based environments. Developers found that creating a web-based application was a bit more complicated, but deploying it via a browser made it all worthwhile. In addition, customers now wanted to transact their business via the web, and as a result, companies started to provide some of their services via a web application.

The Right Question (Where we are today)

Today, the problems of the early 2000s have only worsened. The proliferation of web-based interfaces and applications has spread to every part of our lives and businesses. With this growth, we are not only seeing new groups within companies use web-based applications, but we are also seeing that these same groups are using web-based applications for everything they do on the computer. And these applications are also becoming more complex.



Yellow Belt
Nice article , thanks for sharing it. yes , everything these days tend to be automatic and the internet connection is a must in every office. So I guess you can see the results...
Not open for further replies.