Pentesting at it’s best! Why manual AND automated methods push your comprehensive security strategy

The best way to find your weaknesses is to simulate the attack on yourself and fix vulnerabilities before someone else finds them. Traditionally this has been done manually through a penetration tester (a “pentester”) or ethical hacker, someone who specializes in all the techniques used by attackers. A skilled pentester will work through an exhaustive list of vulnerabilities and attempt to find exploits in every area of a web application. It is a time-consuming process but necessary for any business who takes security seriously.

But what happens when your application is updated frequently? Having a manual pentest every week or even every month is unrealistic for most firms. This is where we see the case for automatic pentesting or continuous vulnerability scanning. By having constant automated pentests with every update you can eliminate the bulk of potential vulnerabilities before they ever reach production. This creates an underlying baseline of security.

By working in tandem with manual pentests we can provide a more robust layer of protection against vulnerabilities.

The Crashtest Security Suite offers cutting edge scanning capabilities in a user-friendly interface. The scanners cover the full range of OWASP Top 10 vulnerabilities and can integrate directly into your CI/CD pipeline. Scans can be triggered via webhooks and developers will be notified immediately of any vulnerabilities found and provided remediation links. By building security into the overall development process you will have a more secure application. Which will mean more value when it comes to your manual pentests. This is continuous security.

While automated Penetration Testing should be carried out regularly and embedded in the Secure Development Lifecycle (SDLC), manual penetration testing is still necessary, and must be carried out whenever relevant infrastructural, architectural and functional changes are deployed.

You may wonder “Why do we need both approaches, when they are both about security testing?” The main reason is that neither strategy provides complete coverage alone. But when combined, they provide the most complete coverage that penetration testing can achieve. Automated penetration testing is an affordable and fast method, enabling DevSecOps teams to quickly learn about possible weaknesses of the latest changes to an application within just a couple hours.

Manual penetration testing adds to this a humans’ qualifying perspective, with a deep focus on specific functionality – such as authentication and storage mechanisms for sensitive data. Or even the complete application as part of a larger review, which is often carried out in preparation of or alongside a major release.

Combining these processes will certainly produce some duplicate artifacts. As such, when both automated and manual tests are carried out in tandem, it is the penetration testers’ job to also summarize and evaluate the findings, indicating which of them have a critical, high, medium or low impact, and which class of security vulnerabilities they belong to. In a report of the manual findings, the pentester would also provide suggestions on how to remediate these.

Because automated penetration tests do not involve much (expensive) human labor, it is quite common to carry out manual testing only after automated pentests have been run, and its findings have been reviewed and resolved. In doing so, the penetration tester can take the automated tests’ results into account, either focusing on an area of code shown to bear many vulnerabilities or, to the contrary, take a closer look at code which was assumed to contain weaknesses but where none were identified during the automated test phase.

Whether manual penetration testing is carried out as a second phase or in parallel to automated testing, combining the proficiency of the Crashtest Security automated penetration testing product with Alice&Bob.Company’s manual penetration testing services provides a much deeper view into an applications’ security state. And, as such, creates a solid foundation for Alice&Bob.Company’s product offerings in the area of full-service cloud security analysis and remediation.

Crashtest Security is a Munich based cyber security company passionate about DevSecOps and developing a safer web. Helping companies across the globe establish a security baseline through vulnerability scanning and continuous testing defines Crashtest Security’s primary objective.

This article is part of a series on penetration testing. The next piece will discuss how penetration testing can be efficiently carried out against your cloud infrastructure. Be sure to re-visit our blog soon to read the follow-up article, to learn how to become a Shift Left champion and about many other topics relating to cloud security.