Automated Penetration Testing
Automated penetration testing services and SaaS solutions incrementally substitute traditional human-driven penetration testing, providing greater scalability, efficiency and effectiveness with DevSecOps integrations if implemented and conducted correctly.
History of Automated Penetration Testing
Traditional penetration testing, also known as Ethical Hacking, emerged in the late nineties, providing organizations with qualified service of network and web security testing. At this point of time, vast majority of the penetration testing services leveraged human intelligence as the main driver. Self-taught security experts and ethical hackers were running various open source penetration testing tools such as Nmap port scanner for further analysis of findings and manual testing.
Want to have an in-depth understanding of all modern aspects of Automated Penetration Testing? Read carefully this article and bookmark it to get back later, we regularly update this page.
Reconnaissance and attack surface exploration were mostly conducted by a multitude of self-developed tools in C or Perl, actively discussed on many dedicated IRC channels. Google Dorking and Shodan have not yet existed, and the entire process of penetration testing was quite laborious, unscalable and time-consuming.
Dynamic web applications were at the very nascent stage of their proliferation, while fairly trivial buffer overflow vulnerabilities and their variations affected countless network services, including omnipresent FTP, OpenSSL, SSH and web servers, and required quite advanced technical skills to get exploited. Most of the exploits purported to take control over the remote server required a quite advanced knowledge of C and assembly programming languages, computer memory management and shell coding (creation of exploit payload, usually executing a Unix command line a.k.a. “shell”). While penetration testing training and security certifications simply have not existed yet, contrasted to the modern-day variety of online courses by SANS or OSCP, honing your network attacking skills and bringing practical insights to thousands of cybersecurity professionals around the globe
Hence, industry professionals and security enthusiasts were continuously trying to bring automation into all steps of manual penetration testing to accelerate the process, reduce costs and provide better value for money. Many simple but efficient penetration testing tools like Nikto or Hydra were getting skyrocketing popularity to automate such trivial tasks as web server stack enumeration or remote password bruteforcing.
Eventually, Kali Linux and Metasploit paved the road to commencement of automated penetration testing that, however, always required an experienced ethical hacker commanding and orchestrating a portfolio of automated security tools.
Free DemoCaveats of Modern Penetration Testing Software
Nowadays, many vendors of automated security tools, which sell web vulnerability scanners and other automated vulnerability scanning solutions, aggressively marketize their offerings as a “penetration testing software” or even “automated penetration testing”. A considerable number of IT professionals are tricked by this handy, albeit technically incorrect, marketing puffery. The automated scanners and related SaaS offerings have a few points in common with genuine penetration testing. In fact, these tools are merely a set of valuable instruments in apt hands of experienced cybersecurity professionals used during a penetration test. Some vendors recklessly advertise their automated software as a full substitute for penetration testing, pushing their unwitting buyers into a breach of PCI DSS, New York state law and a growing multitude of other enacted laws and regulations that expressly impose covered businesses to conduct regular penetration testing on top of automated vulnerability scanning. Likewise, in relation to the GDPR-related lawsuits and litigation, companies that fail to run penetration testing may be eventually found negligent in case of a data breach and face a harsh penalty of up to 20 million Euros or 4% of their annual turnover, whatever is greater. Thus, at first sight a subtle difference in tech terminology may be essential for your business.
Penetration testing software is by definition incapable to properly assess application business logic, conduct a chained exploitation of convoluted OWASP Top 10 vulnerabilities, let alone the extended SANS Top 25 list. Example of untrivial security flaws that require human cognition span from a puzzled XSS in JavaScript behind a WAF to a multitude of convoluted variations of Improper Access Control or Authentication Bypass vulnerabilities. Vertical and horizontal privilege escalation likewise requisites human cognition and way of thinking to be spotted in most of the cases, making automated scanners virtually futile.
For example, OWASP Security Testing Guide compiles over a dozen of interrelated types of security tests and checks that are virtually impossible to automate with a traditional software without losing quality and reliability of the testing, for instance:
- Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001)
- Test Role Definitions (OTG-IDENT-001)
- Testing for Privilege Escalation (OTG-AUTHZ-003)
Therefore, organizations looking to conduct a real penetration test to duly comply with applicable regulatory requirements by running an in-depth, comprehensive and holistic security testing of their network or web infrastructure, should carefully distinguish between genuine penetration testing offering and disguised fakes or software vendors’ puffery.
Free DemoHow to Select an Automated Penetration Testing Company
First and foremost, it is necessary to properly establish your eventual goals and objectives. Some organizations may consciously renounce from conducting regular penetration testing in light of their business process, regulatory requirements and thoughtful risk acceptance. Such exceptions are, however, actively fading amid mushrooming data protection laws and external stakeholders’ requirements that impose obligatory manual penetration testing to enhance and augment automated vulnerability scanning. Thus, if your primary objective is to detect all possible security flaws, weaknesses and misconfigurations, a human-driven penetration testing is probably the best fit for you. Likewise, if an applicable law or data protection regulation, security framework or an internal policy unambiguously requires penetration testing to be conducted by security experts, you will be better off to comply. Otherwise, you may well attain your goals with effectively automated penetration test not to be confused with automated vulnerability scanners.
A hallmark of a penetration test is an actionable report free from false positives. This perfectly applies both for human-driven and automated penetration testing. Thus, if a vendor is unable to provide you with a contractual guarantee that in the report you won’t have false positives, their offering is not about penetration testing. As a matter of fact, at ImmuniWeb we offer not only a zero false-positives SLA (Service Level Agreement) to the integrity of our customers but provide a contractual money-back for one single false positive a report. Luckily, this never happened so far.
Another aspect to consider is some advanced testing capacities such as Web Application Firewall (WAF) bypass that frequently requires human intelligence and highly creative way of thinking. Automated web vulnerability scanners will almost inevitably stumble upon this stonewall obstacle and eventually provide a false positive or false negative in the report. WAF is commonly an insurmountable and formidable barrier for a web vulnerability scanner, inspiring website owners with a false and perilous belief of security. Therefore, double-check whether a penetration testing company makes a credible statement about WAF bypass.
Finally, a vital aspect of automated penetration test to scrutinize is pricing. As detailed above, automated penetration testing cannot be equated to automated vulnerability scanning. Therefore, if someone offers you a price too good to be true it’s probably the case. Intelligent automation may significantly cut human costs, however, on the other side, development of the underlying technology stack is a time-consuming and costly process. For instance, a Machine Learning technology requires a colossal volume of properly structured data for training purposes, and simply cannot be acquired for pennies. Importantly, some human-generated data may worth millions just to collect, making penetration testing automation a premium-price market. Consequently, pricing below $500 per pentest shall probably be a red flag indicating that you will rather get a vulnerability scan and not a penetration test.
Free DemoAI and Machine Learning for Automated Penetration Testing
We all agree that automation is a key to success in 2020 and will probably remain a hot topic within the next decade. Being mindful of this at ImmuniWeb, we leverage Machine Learning, including Deep Learning Artificial Neural Networks (ANN), for intelligent automation and acceleration of a wide spectrum of penetration testing tasks and processes.
While we cannot fully automate the integrity of a skillful penetration testing labor, we can effectively reduce human time required to conduct advanced testing of OWASP Top 10 vulnerabilities, covering such exploitation vectors and attacking techniques that automated scanning software is flatly unable to perform with their traditional algorithms.
Our award-winning AI technology was first globally recognized in 2018, at the prestigious SC Awards Europe in London, where ImmuniWeb outperformed IBM’s Watson for Cybersecurity and five other strong finalists in the “Best Usage of ML/AI technology” category, proving the excellence and practical benefits of our Machine Learning and AI technology.
At ImmuniWeb, we mélange scalable and thus cost-efficient human intelligence with Deep Learning AI for the best-of-the-breed penetration testing available at unbeatable price. For our award-winning on-time and continuous application penetration testing products, available for web and mobile applications, we offer a starting Express package that provides all-inclusive, automated penetration testing with inimitable capacities. Other packages all include scalable human intelligence for in-depth review and expert analysis of application business logic, holistic reverse engineering of the APIs and other tasks where even AI-driven intelligent automation is still outperformed by human genius.
Free DemoConclusion
Automated penetration testing brings a great value for small organizations, businesses exempted from strict regulatory requirements, as well as for large enterprises seeking to reasonably reduce their costs while maintaining a decent quality of testing for their applications that are not business critical.
Make sure you carefully select your pentesting company for automated penetration testing, combine it with human-driven penetration testing, and you will likely avoid falling victim to cybercriminals amid skyrocketing threat landscape.
Additional Resources
- Learn more about AI-enabled Attack Surface Management with ImmuniWeb® Discovery
- Learn more about AI-enabled Application Penetration Testing with ImmuniWeb
- Learn more about ImmuniWeb Partner Program opportunities
- Follow ImmuniWeb on Twitter and LinkedIn