Manual vs. Automated Penetration Testing
“Why should I employ a security consultant when I have Nessus at work?”
This question usually finds itself every once in a while on the front page of LinkedIn or directly asked by some of the potential customers of cyber security consulting companies during the sales talk, and we believe this comes from a legitimate standpoint. The accessibility and reduced costs of maintaining an automated tool compared to renting the services of a security consultant can look like an excellent chance for companies to reduce their expenses. In reality, exclusively using automated scanners and exploitation tools can result in hidden backdoors that are wide open to sneaky malicious hackers that can think outside of the box. In this short document, we would like to mention several key points on why automated scanners and exploit tools cannot replace manual penetration testing performed by an experienced security consultant. Here are some scenarios where a human mind is better than an automated one:
- Attack Chaining: After running a scan, two new vulnerabilities were discovered by the scanner, “stored cross-site scripting (XSS)” and “Cross-Site Request Forgery (CSRF)”. When both of the vulnerabilities are isolated, there may not be a major risk for the exploitation and thus the risk is accepted and the vulnerabilities are kept. One of the key goals of a security consultant is to find the worst-case scenario for the discovered vulnerabilities. This can also be achieved by taking two isolated vulnerabilities and combining them (also known as “chaining”) to greatly increase the impact of the attack. In the mentioned example, the security consultant can store the malicious CSRF payload inside the stored XSS attack, which means every user affected by the XSS can also be affected by the CSRF attack.
- Contextual Understanding: You’ve decided to hide the default admin portal of your site framework by adding your company’s initials to the name of the page (also known as “security by obscurity”). The automated tool will scan for the default path and find nothing, but hackers are smarter than that. Security consultants will study the application's naming practices, and with the help of automated directory fuzzers, detect and access the "hidden" page.
- False Positives: A new alert popped up on your screen, “a new vulnerability was discovered!”. You open the logs of the vulnerability scanner and discover that the old README.txt file you kept on the site shows usage of an old and outdated extension, but in reality, you’ve long since removed that plugin from your site. An experienced security consultant can take the results from automated scanners and replicate them on their side to confirm the vulnerability.
- Flexibility: automated tools usually work with a database or a list of common payloads that they will repeatedly attempt to execute in an attack vector. On the other hand, there are security systems that will take the same list of payloads and block them. As a result, the automated tool will say there is no risk. An experienced security consultant will search for mutations and new methods to exploit the vulnerability, which may lead to bypassing the security system.
- Staying up to date: At the end of the day, automated tools are products, with strict SDLCs and working hours for their developers. There may be a brand new attack that was revealed and actively exploited by hackers, but the patch for the tool that includes this new attack is still in development and it may take several days until it is deployed. In other words, the automated tools won’t be able to detect it in your products, but the vulnerability can still be discovered and exploited by security consultants that actively stay up to date.