Crashtest Security Blog

Manual & Automated - A Comprehensive Pentesting Strategy

Aug 7, 2020 2:00:00 PM / by Leon O'Neill

This blog is a joint effort by Alice&Bob.Company and Crashtest Security – a strong partnership enabling thorough vulnerability testing. Penetration Testing is an important function in any cyber security strategy.

 

A proven method of increasing security is to simulate the attack on yourself and fix vulnerabilities before someone else finds them. Traditionally this has been done manually through a penetration tester (a “pentester”) or ethical hacker, someone who specializes in all the techniques used by attackers. A skilled pentester will work through an exhaustive list of vulnerabilities and attempt to find exploits in every area of a web application. It is a time-consuming process but necessary for any business who takes security seriously.

 

But what happens when your application is updated frequently? Having a manual pentest every week or even every month is unrealistic for most firms. This is where we see the case for automatic pentesting or continuous vulnerability scanning. By having constant automated pentests with every update you can eliminate the bulk of potential vulnerabilities before they ever reach production. This creates an underlying baseline of security.

Security Baseline with & without Crashtest Security

By working in tandem with manual pentests we can provide a more robust layer of protection

The Crashtest Security Suite offers cutting edge scanning capabilities in a user-friendly interface. The scanners cover the full range of OWASP Top 10 vulnerabilities and can integrate directly into your CI/CD pipeline. Scans can be triggered via webhooks and developers will be notified immediately of any vulnerabilities found and provided remediation links. By building security into the overall development process you will have a more secure application. Which will mean more value when it comes to your manual pentests. This is continuous security.

While automated Penetration Testing should be carried out regularly and embedded in the Secure Development Lifecycle (SDLC), manual penetration testing is still necessary, and must be carried out whenever relevant infrastructural, architectural and functional changes are deployed.

You may wonder “Why do we need both approaches, when they are both about security testing?” The main reason is that neither strategy provides complete coverage alone. But when combined, they provide the most complete coverage that penetration testing can achieve. Automated penetration testing is an affordable and fast method, enabling DevSecOps teams to quickly learn about possible weaknesses of the latest changes to an application within just a couple hours.

Manual penetration testing adds to this a humans’ qualifying perspective, with a deep focus on specific functionality – such as authentication and storage mechanisms for sensitive data. Or even the complete application as part of a larger review, which is often carried out in preparation of/or alongside a major release.

Combining these processes will certainly produce some duplicate artifacts. As such, when both automated and manual tests are carried out in tandem, it is the penetration testers’ job to also summarize and evaluate the findings, indicating which of them have a critical, high, medium or low impact, and which class of security vulnerabilities they belong to. In a report of the manual findings, the pentester would also provide suggestions on how to remediate these.

Because automated penetration tests do not involve much (expensive) human labor, it is quite common to carry out manual testing only after automated pentests have been run, and its findings have been reviewed and resolved. In doing so, the penetration tester can take the automated tests’ results into account, either focusing on an area of code shown to bear many vulnerabilities or, to the contrary, take a closer look at code which was assumed to contain weaknesses but where none were identified during the automated test phase.

Whether manual penetration testing is carried out as a second phase or in parallel to automated testing, combining the proficiency of the Crashtest Security Suite with Alice&Bob.Company’s manual penetration testing services provides a much deeper view into an applications’ security state.

Alice&Bob.Company offer their clients a range of services including full-service cloud security analysis and remediation.

 

Topics: WebApplicationSecurity, Cybersecurity, continuous Security

Leon O'Neill

Written by Leon O'Neill

Marketing @ Crashtest Security

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics