Manual & Automated – A Comprehensive Pentesting Strategy
Felix Brombacher, Aug 07, 2020
This blog is a joint effort by Alice&Bob. Company and Crashtest Security – a strong partnership enabling thorough vulnerability testing. Penetration Testing is an essential function in any cybersecurity strategy.
A proven method of increasing security is to simulate the attack on yourself and fix vulnerabilities before someone else finds them. Traditionally this has been done manually through a penetration tester (a “pentester”) orethical hacker, someone who specialises in all the techniques used by attackers. A skilled pentester will work through an exhaustive list of vulnerabilities and attempt to find exploits in every web application area. It is a time-consuming process but necessary for any business that takes security seriously.
But what happens when your application is updated frequently? Having a manual pentest every week or even every month is unrealistic for most firms. This is where we see the case for automatic pentesting or continuous vulnerability scanning. By having constant automated pentests with every update, you can eliminate the bulk of potential vulnerabilities before they ever reach production. This creates an underlying baseline of security.
By working in tandem with manual pentests, we can provide a more robust layer of protection.
The Crashtest Security Suite offers cutting edge scanning capabilities in a user-friendly interface. The scanners cover the full range of OWASP Top 10 vulnerabilities and integrate directly into your CI/CD pipeline. Scans can be triggered via webhooks, and developers will be notified immediately of any vulnerabilities found and provided remediation links. By building security into the overall development process, you will have a more secure application, which will mean more value for your manual pentests. This is continuous security.
While automated Penetration Testing should be carried out regularly and embedded in the Secure Development Lifecycle (SDLC), manual penetration testing is still necessary. It must be carried out whenever relevant infrastructural, architectural and functional changes are deployed.
You may wonder, “Why do we need both approaches when they are both about security testing?” The main reason is that neither strategy provides complete coverage alone. But when combined, they offer the comprehensive range that penetration testing can achieve. Automated penetration testing is an affordable and fast method, enabling DevSecOps teams to quickly learn about possible weaknesses of the latest changes to an application within just a couple of hours.
Manual penetration testing adds to this a humans’ qualifying perspective, with a deep focus on specific functionality – such as authentication and storage mechanisms for sensitive data. Or even the complete application as part of a more extensive review, which is often carried out in preparation of/or alongside a significant release.
Combining these processes will undoubtedly produce some duplicate artefacts. When both automated and manual tests are carried out in tandem, the penetration testers’ job is to summarise and evaluate the findings, indicating which of them have a critical, high, medium or low impact and which class of security vulnerabilities they belong to. In a report of the manual findings, the pentester would also provide suggestions on remediating these.
Because automated penetration tests do not involve much (expensive) human labour, it is common to carry out manual testing only after automated pentests have been run. Their findings have been reviewed and resolved. In doing so, the penetration tester can take the automated tests’ results into account, either focusing on an area of code shown to bear many vulnerabilities or, to the contrary, take a closer look at code that was assumed to contain weaknesses but where none were identified during the automated test phase.
Whether manual penetration testing is carried out as a second phase or in parallel to automated testing, combining the proficiency of the Crashtest Security Suite with Alice&Bob.The company’s manual penetration testing services provide a much deeper view into an applications’ security state.
Alice&Bob.The company offer their clients a range of services, including full-service cloud security analysis and remediation.