Contact us for your penetration testing needs 1-866-PLYNT-24    |   Contact Us   Plynt UK Website  
Click to get Security Testing Quote
How is scanning different from an application pen test?

They discover different kinds of holes.

A scanner is good to find web server holes, ugly error messages and old source code lying around on your web server. At times, it can even find SQL Injection and Cross Site Scripting holes. A scanner has a large database of known vulnerabilities in web servers, and it checks if your site is safe against those.

An application pen tester dons the hat of an attacker. He discovers logical holes real adversaries are interested in that allow them to steal credit cards, manipulate prices, siphon off funds etc. That requires a study of the application - its business context, the motives of the adversary, the workflows, the privilege levels. He then crafts exploits and tests the application. The threats discovered by a pen tester have much greater impact than those discovered by a scanner.

There are other smaller differences too:

  • A scanner takes less time to run after it is setup – usually a day or two.

  • An application pen test can take between a week to three weeks, depending on the size of the app and experience of the tester.

  • Scan reports tend to have many false positives, and even more false negatives. [False positives are false alarms. A false negative is when a hole is missed.] Pen test reports are free from false positives. The number of false negatives depends on the skill of the tester.

  • Most pen testers use a scanner to discover web server holes, error messages, comments in code etc. during the pen test.

Request a proposal

Our quote contains the best price, the time estimate, and our methodology; and we'll mail you the quote in 24 hrs.

Movable Type Appliance - Powered by TurnKey Linux