The Difference Between Auditing and Vulnerability Scanning
Technical Auditing and Vulnerability Scanning
Why both look the same, yet have subtle differences
When talking about auditing, I see that most technical people immediately think about vulnerability scanning. While they definitely have things in common, there are also a lot of minor differences. In this blog post I will show them, and also share how technical auditing and vulnerability scanning can work together.
Similarities and Differences
Let’s first determine what makes technical auditing and vulnerability scanning look similar. First of all, both processes have a technical focus with the goal to discover. The output of both is usually a list of issues. The ones performing the tests have both a technical background. But then things get different.
When we talk about technical auditing, we mean performing an in-depth health check of a system. A technical audit looks at different areas of the system, to determine how well it is configured. Vulnerability scanning on the other has the main purpose to detect software flaws. It is often used by penetration testers and other security professionals, to determine how well a system is patched.
OpenVAS and Lynis
In the field of Linux systems, let’s compare OpenVAS and Lynis. The first is an open source vulnerability scanner, the latter an open source auditing scanner. Both tools have the purpose to find weaknesses on the system. Where OpenVAS does a wide range of tests from the network, Lynis runs on the host itself. Both tools will find different findings, depending on the detected services.
If you would only run OpenVAS, you might it detected some services running, like a web server. It will then perform a set of tests against the HTTP or HTTPS port and reveal its findings. Such findings could be weak ciphers used in the SSL/TLS configuration. While that is a good thing, it might be totally missing that your system time is not properly synced. These kind of things can be detected by Lynis. So in the end it does not make sense to compare vulnerability scanners and auditing tools, as their focus is different. If you would compare something, then take Nessus and OpenVAS, and compare those. For Lynis you could compare it with OpenSCAP.
- Technical focus
- Find weaknesses
- Audit performs health check, vulnerability scan checks for software weaknesses
- Audit can be more generic, vulnerability scan focuses on software