SEWORKS-blog_banner.png

App Security Insights

Penetration Testing - Manual vs Automated

May 28, 2020 11:15:00 AM / by SEWORKS team

Penetration Testing_ManualvsAutomated

Automated penetration testing has become a new way to replace and/or complement the traditional manual penetration testing methods. In this post, we’ll explore the concept of automated penetration testing, and how it helps organizations to discover and mitigate security weaknesses in comparison to manual penetration testing. 

 What is traditional penetration testing?

Until recently, penetration testing has been a project that only trained penetration testers and ethical hackers can take care of. This is because penetration testing requires an expertise in analyzing the target and conducting real exploits to verify how the target responds. Depending on the scope, one penetration testing can take weeks or even months to complete. The quality of testing can be subjective due to the expertise of testers. 

These days, pen testers employ some scanning tools, such as Burp Suite, Veracode, and Rapid7 to reduce the testing period. The scanning tools help the initial analysis to understand where potential vulnerabilities exist, and enable the testers to build efficient exploit strategies to confirm the security vulnerabilities and weaknesses. However, the exploit simulation phase is done manually as well as compiling the results and generating reports. This is why manual penetration testing often takes a lengthy amount of time. 

What is automated penetration testing?

As mentioned above, there are some scanning tools to assist penetration testing. However, they can’t be the only source for pen testing as the tools are often based on patterns and signatures, and don’t detect complex security vulnerabilities and weaknesses. As the technology gets evolved, now we see some solutions that offer fully automated penetration testing. Oftentimes, such solutions involve AI technology to overcome scanning tools’ weaknesses that following patterns and signatures bring. 

Automated penetration testing tools, such as Pentoma®, do not involve manual work during the testing process. Also, rather than relying on multiple tools, one automated testing tool takes care of the entire test. In other words, AI capabilities allow these tools to scan potential vulnerable areas, and simulate exploits autonomously. Once the scanning and exploit process is done, all the findings are automatically compiled to generate a report. 

In Pentoma®’s case, the solution utilizes GAMAN (Generative Adversarial Model Agnostic Networks) to automate penetration testing. GAMAN builds unique classification datasets for each target environment, and creates payloads based on the datasets. By doing so, Pentoma®  is able to optimize the exploit simulation and attack the targets as if it is a human pen tester.

How to benefit from automated penetration testing

Automated penetration testing complements and betters the traditional pen testing methods. If an organization does not have in-house pen testers or designated third-party pen testing vendors, an automated penetration testing solution is an alternative to easily access pen testing. This is because there’s no complicated human engagement to start a test. As soon as the target scope is defined, a test can be started when the organization wishes to begin. 

If an organization has in-house pen testers or vendors, automated pen testing solutions are still helpful. As the solutions take care of the testings, human pen testers can verify and validate the results. Moreover, based on the results, they can also execute further exploits in attempt to discover security weaknesses in a deeper level. Employing automated pen testing solutions would ease the workload, and save a lot of time and effort.

Budgeting a manual penetration test itself is a huge workload. Each vendor and pen testing consultant use different models to quote a penetration test. For example, some might consider the hours for a test, and others might go by the size of the scope. With different ways to measure the test duration and depth, a test quote may start from a several thousand dollars. It is common to go over $50,000 for one test, as well. This explains why the time, quality, and cost of testing have been an obstacle to access manual penetration testing even though it is important to conduct penetration tests on a regular basis.

Conclusion 

Penetration testing is a complex yet mandatory project for companies to learn and fix security weaknesses. The manual testing process usually takes a lot of time and human effort to complete, which has been a turnoff for organizations. Automated testing lightens the human workload, and makes the testing process more efficient and faster. Regardless of having access to pen testers and vendors, companies can take advantage of automated penetration testing solutions.

Topics: Penetration Testing, Pentoma

Written by SEWORKS team