Why Automated Penetration Testing is Not Enough
With the increasing number of networks, systems, and applications, the vision of performing Network Penetration Testing on every subnet and every system or performing Web Application Penetration Testing on every web application may seem impossible for many organizations, especially those with limited budgets and limited resources. With all that said, network and web application security risks will not be mitigated by automated testing. All of this will lead to extremely hard choices when trying to establish cost-effective strategies for network and web application security.
Almost every cybersecurity professional within the industry can agree that networks, systems, and web applications will not be properly secured by only running automated penetration testing and automated vulnerability scans. Penetration testing companies that only offer automated penetration testing should be avoided. This article will cover the numerous flaws of “automated penetration testing” and automated scanning. This article will also provide organizations with potential solutions while taking in considerations such as limited resources and/or limited budget while still allowing organizations to properly secure their networks, web apps, and systems from cyberattacks.
What Are the Options for Penetration Testing Companies?
Penetration testing companies may offer different options for security testing. Three of the main security testing approaches vary in cost, accuracy, and depth. These three methods can be utilized at different frequencies as they can yield different results. These three methods can be combined together to build a more effective cybersecurity program.
- Automated Penetration Testing / Automated Vulnerability Scanning
- Automated Vulnerability Scanning with Manual Validation
- Manual Penetration Testing (Vulnerability Scans leveraging Manual Validation, with additional Manual Penetration Testing)
Is All Automated Scanning Bad?
No. Automated scanning can be a great starting point for organizations who lack a cybersecurity budget and cannot benefit from frequent manual penetration testing of all of their networks, systems, and applications. However, automated penetration testing and automated scanning should not be the only proactive actions taken. Manual penetration testing is a must!
Which Approach Should Organizations Take?
Some organizations will try to use an approach based on risk to help decide which kind of security test should be used. This approach can lead organization to conclude that either only automated penetration testing or only automated vulnerability scanning would be okay for some company networks, systems, and web applications. The truth is, this is not acceptable. A majority of networks, systems and web applications still need frequent manual penetration testing. The frequency of the manual penetration test may be set based on other factors such as the frequency of routine vulnerability scans.
Relying on Automated Penetration Testing Exposes Many Organizations to Cyberattacks
Penetration testing companies that only offer automated penetration testing should be avoided. While automated penetration testing and automated vulnerability scanning may help organizations, automated testing should never be the sole method to test an organization’s cybersecurity posture. Many networks contain unique systems and configurations. Most web applications contain business logic which is unique and automated penetration testing and automated scanning cannot contextualize. The automated verifications by automated penetration testing and automated scanning cannot identify many critical vulnerabilities within web applications.
Two example vulnerabilities include Authentication Bypasses and Weak Access Controls. These two example vulnerabilities may have devastating results if they are used by attackers and these example vulnerabilities are often related to the actions and properties found within unique web applications. These are only two examples of critical vulnerabilities that would require manual penetration testing to be discovered. Organization that rely on automated penetration testing or automated vulnerability scanning would be blind to these types cyberattacks.
Why is Automated Penetration Testing Bad?
Unfortunately, some organizations have started relying on automated penetration testing and automated vulnerability scanning which can lead the entire organization to have a false and misleading sense of their security posture. Leadership assumes that the company’s networks and web application have been properly secured, but numerous critical vulnerabilities remain on the network and within the web applications.
Automated Penetration Testing (Even With Some Manual Validation) Can Leave Organizations Exposed to Cyberattacks
Some organizations receive automated penetration testing and think that the networks and web applications no longer require manual penetration testing. Automated penetration testing, even with manual validation, has left organizations exposed to numerous cyberattacks. Penetration testing companies that only offer automated penetration testing should be avoided.
Case Study #1: Public Web Application
The findings below represent a small sample of security issues that would never have been identified or fixed if the company had only relied on automated penetration testing and automated vulnerability scans. If the organization had relied only on the automated testing, the organization would have been left vulnerable to cyberattacks.
Found During an Automated Penetration Test
- High - Cross-Site Scripting (False Positive)
- High - Encryption Is Not Enforced
- Medium - Outdated Software Components
Found During a Manual Penetration Test (Missed During an Automated Penetration Test)
- Critical - Authorization Bypass
- Critical - API Does Not Require Authentication
- Critical - Privilege Escalation
- High - Sensitive Content Publicly Exposed
- Medium - Client-Side Controls Can Be Bypassed
- Medium - Outdated Software (JavaScript v1.4.0)
- Low - Information Disclosure
The automated penetration test missed crucial vulnerabilities allowing attackers access to sensitive information.
Manual Penetration Testing on an Annual Basis
It is required that all networks and web apps be tested manually by certified and qualified penetration testers at least one time a year. When you consider today’s constantly developing cyber threats, we recommend for networks and web applications to be tested manually twice a year and sometimes even quarterly. This allows organizations to proactively stay ahead of methods used to bypass security measures within networks and web applications. This is also why standards including PCI-DSS require both an annual external penetration test and an annual internal penetration test to be compliant. PCI-DSS also states that both the external and internal tests must include network testing and web application testing.
Manual Penetration Testing After Significant Changes
It is also crucial that all networks and web applications are tested manually when new devices are added, when new functionality is introduced, and when major / significant changes are implemented to the supporting infrastructure. This is because additional vulnerabilities could be introduced which could leave the organization vulnerable to cyberattacks. PCI-DSS requires that penetration testing be performed after all significant changes. This is separate from the required annual penetration tests.
Automated Penetration Testing and Automated Vulnerability Scanning
Automated penetration testing and automated vulnerability scanning may identify some types of vulnerabilities. Automated scanning may also be efficient at finding specific misconfigurations. The automated validations are sometimes performed by leveraging databases containing thousands of vulnerabilities related to different technologies along with particular flaws related to various versions of software that may be installed. Automated testing and scanning may be run on a routine basis which may help in-between manual penetration tests.
Automated Scans with Manual Validation
One of the largest issues of automated penetration testing and automated vulnerability scanning is the large number of misleading false positive items that the automated testing and scanning can generate. This often leads to wasting company resources since the teams may spend time investigating and attempting to fix vulnerabilities that may not actually exist. Furthermore, teams may spend time remediating items that present little risk for the organization. A certified penetration tester may manually validate items found in automated penetration tests and automated vulnerability scans to adjust the risk ratings. This may help prioritize next steps and help save company resources and money.
Automated Penetration Testing and Automated Scans with Manual Validation
One of the most important items to note is that manually validating items found during automated penetration tests and automated scans does not increase the testing depth, nor does it increase the depth of analysis. This is why automated penetration testing with manual validation will not make the tests as dependable as manual penetration testing.
Cons of Automated Penetration Testing Companies
The following lists some of the cons of automated penetration testing:
- The automated testing tool is not perfect
- There are higher chances of false positives
- There are higher chances of false negatives
- Testing may not be considered as an independent attestation
- Testing can only scan for the test cases given by the security vendor
- Testing has a fixed number of results as programmed by the vendor
- The automated tool cannot analyze situations that a human can analyze
Pros of Manual Penetration Testing Companies
The following lists some of the pros of manual penetration testing:
- In-depth manual testing of networks
- In-depth manual testing of systems
- In-depth manual testing of web applications
- Skilled penetration testers can analyze situations better
- Skilled penetration testers can think like the hacker
Manual Penetration Testing Companies for the Win
After reading and analyzing this article, hopefully it is clear to you why manual penetration testing is the clear winner and why automated penetration testing alone will never be comparable to a manual penetration test. If you had an automated approach to read and analyze this article, which method would your script choose?
Do Not Be Fooled by an Automated Pen Test Companies
If you are investing in your organization’s security by undergoing a penetration test, ensure that you are actually receiving a manual penetration test. Do not let firms misguide you into thinking that an automated vulnerability scan or an automated penetration test can detect all of your vulnerabilities. If the firm you have hired does not use manual testing methods from a credentialed penetration tester during the penetration test, you are not receiving a quality penetration test. Acceptable credentials may include OSCP, OSWP, GXPN, GPEN, GCPN, GWAPT, GMOB, AWS CSS, and others. Contact Central InfoSec today to learn more about our quality-focused penetration testing services.
Central InfoSec - Best Pen Test Company
Want to know why organizations rely on Central InfoSec’s manual penetration testing expertise?
No matter the complexity of your networks and web applications, Central InfoSec experts are well-known to identify and help organizations fix the most complex vulnerabilities that could lead to disastrous cyberattacks. Central InfoSec was named the “Best Penetration Testing Company” in the Corporate Excellence Awards.
Central InfoSec is an award-winning cyber security company that offers professional security services including Red Teaming, Penetration Testing, and Security Training.
If you’d like to see why Corporate Vision selected Central InfoSec as the Best Penetration Testing & Security Consulting Firm, let's have a chat to see how you could benefit from Central InfoSec security services. It’s simple and easy. We’ll even include a free customized quote. Let’s get started: Contact Central InfoSec
Central InfoSec specializes in red teaming and penetration testing to help you reduce risk to your organization by helping you test, measure, and improve your overall security posture. Security services offered include red teaming, penetration testing, vulnerability assessments, web application testing, managed phishing, and other tailored security services.
Central InfoSec named Best Penetration Testing Company by Corporate Vision's Corporate Excellence Awards.