When it comes to penetration testing, there are any number of automated tools available in the marketplace—both the high-priced sophisticated lot, and their inexpensive counterparts that are just about adequate. However, the ideal pen test is more than just a series of automated tests ticked off on a checklist (as we mentioned in our last blog—The Foolproof Penetration Testing Checklist). The effective pen test goes beyond the technical to test business logic vulnerabilities as well. It studies the vulnerability of your entire system and not just isolated, discrete functionalities. In short, the automated versus manual debate does not exist. For, the ideal pen test is one that uses automated tools but is led by human intelligence and insight.
Not automated versus manual; rather automated AND manual
Comprehensive coverage, both breadth and depth: Automated tools can identify simple and well-known forms of the common technical vulnerabilities. The more complex vulnerabilities, those related to application logic or security functionality design for instance, require manual intervention. While automated tools are admittedly more efficient and thorough than the manual approach, they tend to focus on a particular area of vulnerability or individual flaw, necessitating multiple pen testing tools. Additionally, they usually set off a high number of false positives and miss business logic vulnerabilities. With manual testing, on the other hand, you can not only examine specific flaw categories (such as business and design logic flaws), but also identify specific application vulnerabilities within the scoped domains. Finally, manual testing takes testing to its next logical step—from simply identifying vulnerabilities to analyzing whether multiple low-risk flaws can together constitute a critical vulnerability.
Speed and efficiency beyond human capacity: Standalone manual testing is not exhaustive enough to uncover all vulnerabilities, especially where you require hundreds of iterations to identify patterns. A manual tester can be ably assisted by tools that improve his efficiency; for example, by enabling the automation of a series of steps that, if undertaken manually, would be long-drawn and impractical.
Safe testing: Automated tools cannot view a specific function within its context, so if pen testing a particular functionality could lead to data being compromised or the application being critically altered, it is better to have a manual overview of such processes. Manual testing allows you to customize the testing for specific functions to ensure that they are not exploited beyond repair. In any case, every automated test demands manual verification for false alarms, a manual scan for client-specific vulnerabilities, etc. So, one cannot completely automate pen testing.
Protection against different kinds of threats: Automated scans will protect you against automated attacks, which is what most attackers use. But what about the focused attacker who uses complex methods to enter and exploit your infrastructure? Only human intervention that complements automated scans can foil the clever human attacker.
Staying relevant: A manual tester is only as good as his skill and expertise. Unless he constantly updates himself with knowledge of new threats, his testing will not be exhaustive and complete. In this, he can be helped by sophisticated automated tools that are regularly updated to combat new threats.
When it comes to pen testing, automated testing that is complemented by security expert validation and analysis is your best bet to detect all vulnerabilities and achieve the highest levels of security assurance. However, independent and trained testing professionals are expensive, and hiring and retaining such resources in-houses escalates the cost of threat management. Hence, the growing need for on-demand solutions that combine automated and manual testing in a cost-effective and scalable manner.
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.