/nov 7, 2022

Here's Why Manual Penetration Testing is Great

By Elisa Velarde

When it comes to protecting software, don’t count on automated testing to find all the vulnerabilities in your code. Here’s why manual penetration testing is more essential (and more accessible) than one might think. 

Humans find vulnerable vectors automation can’t.  

While it’s not breaking news that any mature DevSecOps programs should include automating application analysis into the software development lifecycle, there is no silver bullet for ensuring the security posture of the entire attack surface. Stopping attackers from gaining access to sensitive information requires a well-rounded program that covers the software development lifecycle from end to end - from static code testing, testing third-party libraries, to dynamic analysis and manual penetration testing. Organizations that want to keep their software as secure as possible can’t afford to leave any stone unturned.  

Manual penetration testing or “pen testing” has long been the great revealer of both successes and shortcomings when it comes to attack surface security. In our 12th State of the Software Security Report, Veracode found that 62% of CWEs discovered during a Manual Penetration test could not be found through an automated scan. Manual pen testing is multi-faceted by design, covering infrastructure, applications, and APIs. A good pen tester can leverage logic flaws and access controls to follow leads and find unique ways to exploit weaknesses. The underlying ethos of any good pen tester is to “think like an attacker”. Attackers are persistent, curious, determined and not satisfied until they get what they’re after. They are looking for opportunity in context. They are looking for application and logic flaws that machines and AI miss.  

Many regulatory requirements such as PCI DSS, HIPAA, GLBA, FISMA, and NERC CIP, understand the importance of manual pen testing and require at least annual penetration testing to reach compliance. However, cost and a lack of understanding of pen testing’s true benefit beyond compliance confounds the effort for teams to test more frequently. Add in other complications, like ad hoc procurement, scheduling issues, and scoping from scratch for each test, and it’s often hard for security teams to justify more than an annual effort.  

The myth of “automated” penetration testing. 

Scanning tools, even the best of them, aren’t curious – at least not in the way humans are. To get around the complications of performing more frequent manual penetration tests, organizations have resorted to using shortcuts like automated tools to reduce the human time required for the test. While there are advantages to this, like cost reduction and speed, there is a significant downside.  

Using a finite set of automated scan results as a starting point for a manual pen test means that a pen tester is likely to look ONLY where there appear to be “critical” or “high” severity issues found in scan results, and not take in the broader ecosystem and what might be leveraged by a bad actor.  If the pen test is merely a deeper dive of a set of scan results, the core benefit of the pen test is lost.  

Ultimately, manual penetration testing is about discovery combined with outside the box thinking – something scanners aren’t equipped to do.  Automated pen testing platforms can replicate some tasks a human pen tester performs within a fixed set of parameters when looking for exploits, but when it comes to using innovative methods, leveraging curiosity and years of experience to find vulnerable vectors, nothing compares to a real, live human – the right human. Having a seasoned pen test team scope, plan and administer the test is critical.  

Test the way you’d like to test. 

Organizations that understand the power of a thorough manual penetration test often express their desire to test more frequently, but are mired in financial approvals, a lack of qualified testers and scheduling logistics. Veracode has worked with many customers to streamline this process and meet their demand for manual penetration testing on a regular cadence.  

Veracode’s Manual Penetration Testing team can help organizations perform manual pen tests in several ways – through annual, ad hoc, or subscription-based testing. Annual and ad hoc penetration testing are both comprised of a one-time test utilizing a seasoned pen testing team doing a comprehensive, object-based test. Penetration Testing as a Service (PTaaS), however, allows organizations to have the best of two options – a seasoned, live human penetration test team and the ease and convenience of utilizing the services of that team on a pre-scheduled and recurring basis.  

Veracode Manual Penetration Testing (MPT) is a critical component in a holistic, multi-faceted software security program. Penetration Testing as a Service (PTaaS) allows organizations to utilize manual penetration testing like a subscription, partnering with Veracode to find vulnerabilities only humans can find. PTaaS can be used in conjunction with Veracode automated scan products and purchased similarly. No additional procurement negotiations throughout the year and no budgetary surprises. By adding PTaaS to SAST, SCA, and DAST scan coverage, organizations can deeply strengthen their security posture and reduce risk across the software supply chain. 

Penetration Testing as a Service is designed for organizations on a mission to improve their overall security posture and reduce their breach risk. Veracode’s PTaaS allows them to make manual penetration testing a part of that effort without breaking the budget. PTaaS allows organizations to find that 62% of CWEs that automation can’t.  

Interested in performing Manual Pen Tests more often? Request a demo

Related Posts

By Elisa Velarde

Elisa Velarde is an innovative Product Marketing Manager with over 10 years’ experience in marketing, product marketing and product management. She is passionate about Application Security and Veracode’s Dynamic Analysis Platform. When she isn’t outdoors running or cycling, she can be found reading an embarrassing number of cyberthreat blogs.