Where Pen Testing Belongs in Your Application Security Process

What Is Manual Penetration Testing?

Manual penetration testing (pen testing) is an application security method in which a human pen tester manually tries to hack into an application to find vulnerabilities. An important component of your overall application security program, this method can identify vulnerabilities that cannot be detected with automation, such as business logic flaws.

Its importance is reflected in regulations, including PCI DSS, HIPAA, GLBA, FISMA and NERC CIP, and security frameworks, such as OWASP Top 10 and SANS Top 25, which all require penetration testing.

Pen Testing as Part of the Solution, Not the Solution

Although we come across many companies that test their applications only with manual penetration testing, this method is most effective when used in conjunction with automated scanning solutions.

Why? Because MPT alone is not scalable and is quite costly. It also will take much longer for a human to find every flaw that a machine could have found; it can take weeks to perform a full penetration test on an application, with results that vary depending on the tester. 

On the other hand, automation alone is also not enough to ensure an application is thoroughly tested. For example, automated SAST and DAST scans are limited in the detection of CSRF (Cross-Site Request Forgery) and business logic vulnerabilities. Only MPT can provide true detection and validation of these vulnerabilities.

Pen Testing Last, Not First

After working with customers to find and remediate security-related defects in their code over the past 10 years, we’ve discovered that the best use case for MPT is as the final check – not the first and only check.

The best practice is to conduct MPT after developers have completed remediating defects found through static and dynamic scans. We recommend you require a penetration test before the application is put into production, as the final step in a production release.

When you first employ static, dynamic and software composition analysis (SCA) technologies to find known vulnerabilities, the manual penetration testers can subsequently focus on areas of the application that are known to produce more false positives, or where automated scanning has blind spots.

How often should you conduct penetration testing? Depending on the application or organization’s compliance requirements, testing frequency can vary, but the general guideline is to perform penetration testing at least annually.

No Application Security Silver Bullet

You cannot effectively secure your applications with one testing technique. Different testing methods are better at identifying different types of vulnerabilities, and relying on one method leaves you open to attack. You won’t solve your application security problems with a point solution, but rather with a program that features multiple testing types – both manual and automatic – that look at your entire application landscape and at applications across their lifecycles – from development to production.

To get more details on what good application security looks like, start with someone who’s been there. Check out our new guide written by Colin Domoney, Veracode’s Senior Product Innovation Manager and former AppSec manager for a global investment bank – 5 Lessons From an Application Security Pro.