Third party vulnerability scans are scans of your organization from outside the network by a separate company. These scans attempt to identify vulnerabilities in your organization’s Internet facing systems.

The use of a third party can bring more neutrality to the process, as there are no vested interests or assumptions made about the systems that are being scanned.  A third party also brings new techniques and new tools to the table, these can reveal vulnerabilities that have not been detected by internal teams.

It is expected that third party vulnerability scans are performed at least annually, but most organizations require quarterly scans.  The third party needs to be an organization that is qualified to perform the scans. An Approved Scanning Vendor.(ASV) is required for Payment Card Industry (PCI) certification.

A penetration test, or pentest, is an exercise where a group, usually a third party, attempts to gain access to the target’s network or system. The group could be a dedicated internal group, but is usually a third party specializing in security and penetration testing.  Permission is granted to this group in an attempt to gain elicit access to the system, often without the knowledge of the internal security team, except for management, or higher level engineers.

The purpose of this exercise is to determine if there are weaknesses or vulnerabilities in the system that are not detected by vulnerability scans.  These vulnerabilities may be because of the system design, social engineering weaknesses, business logic weaknesses, or other factors that are not detected through automated methods.

Customers know that there are other types of vulnerabilities besides technical vulnerabilities in the software.  They want to be assured that the organization also understands that and is working to detect and address these weaknesses.  A penetration test shows that your organization is committed to finding these weaknesses. The use of a third party for penetration testing provides for different thoughts and ideas that may help remove the inherent bias that often exists when an organization looks at their own work.

Customers may ask to review the pentest report from the organization that performed the test.  This generally contains sensitive information and is often not fully shared with customers or potential customers.  Often it is agreed upon that the executive summary with a summary of the findings and no technical details is shared.  If that is not sufficient due to special requirements by the customer, sometimes the customer is invited to review the whole pentest report, under NDA, in the provider’s facility with control over notes taken as not to expose highly sensitive technical information.

Vulnerability scanning uses software to attempt to connect to hosts in the specified range of ports.  When the scanner detects that the port is open, it will try to identify if the software opening the port on the server is vulnerable to a list of known vulnerabilities. If the system proves to be vulnerable, it is added to the report.

The information from a vulnerability scan can be used to either attack the system using known weaknesses or to create a list of vulnerabilities to be addressed.

They want your organization to be scanning your external systems so that vulnerabilities are discovered and addressed by you before they can be exploited.

It is expected that external vulnerability scanning is included in your security plans.  You may include it in the vulnerability management plan or other policies.