We can differentiate two ways to run a penetration test on a web application:
- Manual testing
- Automated scanners
Manual testing is the process where humain beings go through the application and look for vulnerabilities, exploit these vulnerabilities to confirm they can actually be used to cause damage to the application or to the company. Pentesters use some tools, usually in an interactive mode, use their own scripts, and above all, their skills set.
Automated tools are softwares or platforms that automatically go through the application and detect everything. Well… everything they are able to detect. Many companies have developed these automated security assessment platforms, essentially because automating things saves time, costs, and because they can target more potential clients with their tool, at a lower cost.
Manually testing a web application is indeed time consuming, and quite expensive since you’ll have real humans doing the job.
Do you think hackers (I mean, those hackers who steal your data, impact your business) use fully automated tools, and voilà? Of course some scanners crawl websites and report potential victims to hackers, but in the end, hackers are not people only clicking on the “Launch test” button of an automated tool. They are skilled people who will often find vulnerabilities that automated tools can’t find.
If automated tools were so powerful and efficient, all major websites would already have been scanned and would be safe. But it’s not the case.
What automated tools can do that pure manual testing cannot is:
– testing every single possibility on every page (at least every page it finds, and possibilities it has been taught and told to test)
– performing tests at a very high speed (although it takes anyway quite a lot of time to execute the full test)
What automated tools cannot discover is mainly logical flaws: only human testers are able to understand the logic behind the application’s workflow. These flaws are quite often severe and can lead to very serious damage to the company.
Automated tools only report technical flaws, not workflow issues / business logic.
On top of this, automated tools report false positives. Developers try to understand what needs to be fixed from the report the tool gave them, but sometimes nothing needs to be fixed.
Going through the “report” outputted by an automated scanner can be extremely time consuming, and requires skills in security anyway.
So what approach do we have to follow?
Vendors who tell you that their tool is perfect and will do all what a human does and will do it at a lower costs and faster, are just trying to sell you their products and services…
The most efficient way to test a web application is the approach that will combine the best of both worlds!
The best approach is to mix the use of manual techniques, relying on the skills of the tester, and the use of automated tools, to save time on some repetitive and low-value tasks.
A skilled and experienced pentester will leverage the power of some tools, selected for specific aspects and will combine them with his analysis of your very specific case.
Where full website scanners are generic, some other tools are more efficient on very specific cases and types of vulnerabilities. A human tester will (should) take your business context into consideration, to determine what the priority is in terms of risks, and will first focus on sensitive assets, which can’t be done by an automated tool.