How is scanning different from an application pen test?
They discover different kinds of holes.
A scanner is good to find web server holes, ugly error messages and old source code lying around on your web server. At times, it can even find SQL Injection and Cross Site Scripting holes. A scanner has a large database of known vulnerabilities in web servers, and it checks if your site is safe against those.
An application pen tester dons the hat of an attacker. He discovers logical holes real adversaries are interested in that allow them to steal credit cards, manipulate prices, siphon off funds etc. That requires a study of the application - its business context, the motives of the adversary, the workflows, the privilege levels. He then crafts exploits and tests the application. The threats discovered by a pen tester have much greater impact than those discovered by a scanner.
There are other smaller differences too:
- A scanner takes less time to run after it is setup – usually a day or two.
- An application pen test can take between a week to three weeks, depending on the size of the app and experience of the tester.
- Scan reports tend to have many false positives, and even more false negatives. [False positives are false alarms. A false negative is when a hole is missed.] Pen test reports are free from false positives. The number of false negatives depends on the skill of the tester.
- Most pen testers use a scanner to discover web server holes, error messages, comments in code etc. during the pen test.