Manual Penetration Testing

Pen testing involves analyzing applications for poor or improper configurations, known and unknown flaws and operational weaknesses. View our webinar on avoiding dangerous programming errors while building secure apps.


Manual Pen Testing

Manual Penetration Testing layers human expertise on top of automated static binary and automated dynamic analysis when assessing high assurance applications. A manual penetration test is required to obtain the VERAFIED™ HIGH ASSURANCE marks for OWASP Top 10 and CWE/SANS Top 25. It provides complete coverage for these standard vulnerability classes, as well as other design, business logic, and compound flaw risks that can only be detected through manual testing.

Veracode’s risk adjusted verification methodology for applications was designed to incorporate multiple analysis techniques including automated static, automated dynamic, and manual penetration testing. Higher assurance applications require more comprehensive analysis in order to reduce false negative (FN) rates, particularly for vulnerabilities only detectable through manual assessment. Veracode recommends all three analysis techniques be performed for applications with high assurance levels.

Multiple Techniques for full coverage

Through the combination of automated analysis (static and dynamic) and comprehensive manual testing, all application related flaws of measurable risk should be identified. Veracode's partners provide manual pen testing expertise to layer on top of Veracode's automated analysis for high assurance applications. Results from the automated and manual testing are combined to deliver a consolidated assessment report to simplify the remediation process.

OWASP Top 10 and CWE/SANS Top 25 testing

The addition of manual analysis enables the testing of vulnerability classes that cannot be identified through purely automated means. Veracode, using its three complementary analysis techniques, is able to test for an application’s resilience to the OWASP Top 10 security risks and CWE/SANS Top 25 software errors. While all attack vectors are considered in scope during a Comprehensive Manual assessment, activities are primarily focused within those flaw categories that currently require manual inspection to determine adequately.