You\u2019ve just deployed an ecommerce site for your small business or developed the next hot iPhone MMORGP. Now what?Don\u2019t get hacked!An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.Let\u2019s examine the differences in depth and see how they complement each other.Vulnerability assessmentVulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart.Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps.It\u2019s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.Penetration testMany \u201cprofessional penetration testers\u201d will actually just run a vulnerability scan, package up the report in a nice, pretty bow and call it a day. Nope \u2013 this is only a first step in a penetration test. A good penetration tester takes the output of a network scan or a vulnerability assessment and takes it to 11 \u2013 they probe an open port and see what can be exploited.For example, let\u2019s say a website is vulnerable to Heartbleed. Many websites still are. It\u2019s one thing to run a scan and say \u201cyou are vulnerable to Heartbleed\u201d and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference \u2013 the website or service is actually being penetrated, just like a hacker would do.Similar to a vulnerability scan, the results are usually ranked by severity and exploitability with remediation steps provided.Penetration tests can be performed using automated tools, such as Metasploit, but veteran testers will write their own exploits from scratch.Risk analysisA risk analysis is often confused with the previous two terms, but it is also a very different animal. A risk analysis doesn't require any scanning tools or applications \u2013 it\u2019s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk \u2013 including financial, reputational, business continuity, regulatory and others - \u00a0to the company if the vulnerability were to be exploited.Many factors are considered when performing a risk analysis: asset, vulnerability, threat and impact to the company. An example of this would be an analyst trying to find the risk to the company of a server that is vulnerable to Heartbleed.The analyst would first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A server sitting on an internal network without outside connectivity, storing no data but vulnerable to Heartbleed has a much different risk posture than a customer-facing web server that stores credit card data and is also vulnerable to Heartbleed. A vulnerability scan does not make these distinctions. Next, the analyst examines threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives. Last, the impact to the company is ascertained \u2013 specifically, what bad thing would happen to the firm if an organized crime ring exploited Heartbleed and acquired cardholder data?A risk analysis, when completed, will have a final risk rating with mitigating controls that can further reduce the risk. Business managers can then take the risk statement and mitigating controls and decide whether or not to implement them.The three different concepts explained here are not exclusive of each other, but rather complement each other. In many information security programs, vulnerability assessments are the first step \u2013 they are used to perform wide sweeps of a network to find missing patches or misconfigured software. From there, one can either perform a penetration test to see how exploitable the vulnerability is or a risk analysis to ascertain the cost\/benefit of fixing the vulnerability. Of course, you don\u2019t need either to perform a risk analysis. Risk can be determined anywhere a threat and an asset is present. It can be data center in a hurricane zone or confidential papers sitting in a wastebasket.It\u2019s important to know the difference \u2013 each are significant in their own way and have vastly different purposes and outcomes. Make sure any company you hire to perform these services also knows the difference.