Why Manual Penetration Testing and Automation are Important Aspects of an AppSec Program

Authored by Jacques Lopez and Tom Eston 

As a result of the current COVID-19 pandemic, most companies are operating remotely. This “new normal” has led to an increased demand for digital transformations and cloud migrations. But Verizon’s 2020 Data Breach Investigations Report recently noted that cyberattackers are taking advantage of the digital transformations, finding new ways to attack web applications. As Tami Erwin, CEO of Verizon Business, recently stated, “As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount.”

So how can you digitally transform your business while maintaining application security (AppSec)? You need to incorporate Manual Penetration Testing (MPT) along with AppSec automation. Only leveraging Manual Penetration Testing (MPT) can be costly and time-consuming, but – if you only leverage automated scans – you could miss authorization issues and business logic flaws. Let’s explore MPT and AppSec automation in-depth, and weigh the pros and cons, to show why both are essential to properly protect your applications.

Manual Penetration Testing

MPT is conducted by a human, known as a “pen tester.” The pen tester leverages security and assessment tools to uncover vulnerabilities in applications along with the resulting impact. MPT is vital for the deep inspection of critical apps because it finds classes of vulnerabilities that automated assessments can’t, such as authorization issues and business logic flaws. It also helps validate the results of an overall AppSec program. That said, it cannot be the only testing type used for your applications. It simply doesn’t integrate well enough to meet developer’s needs, and it’s not cost-effective.

Pros:

• Leverages human understanding of business logic, finding vulnerabilities that automated assessments can’t identify
• Offers in-depth testing into the application
• Uses multiple tools to test the application
• Provides an excellent snapshot in time of the security of the application
• Is the generally accepted compliance step for a security review

Cons:

• Does not always integrate well into the development process; although, there are more “crowdsourced” and “continuous” penetration testing models arising to reduce response times
• Can be a bottleneck in the process and slow development down while they wait for the results
• Results can vary between tests and penetration testers – just part of human nature that testers will see different things and have different approaches
• Occasionally leaves security gaps in between testing
• Can be cost-prohibitive to test the full portfolio of applications

AppSec Automation

AppSec Automation is the programmatic incorporation of automated security scanning into the DevOps process and the security risk management practice. Security automation is required for scale, cost-effectiveness, and integration into the DevOps process. Organizations that solely rely on MPT have a minimal chance of reaching the programmatic outcomes around risk reduction that continuous scanning can provide.

Pros:  

• Can be integrated into the development process which is much easier for developers to use
• Scales to encompass most, if not all, of the application portfolio
• Implements a consistent and repeatable security policy
• Benchmarks to show improvement over time
• Scans on-demand at multiple stages of development and security review
• Less expensive per scan

Cons:

• Can only scan for what it knows.  It does not currently replace understanding the business logic of an application and creativity of a professional pen tester
• May not be considered independent attestation if done with an on-premises tool

Both are required for a fully effective program but address different needs.  MPT is best suited for a point-in-time assessment on business-critical applications where business logic considerations come into play. Automation builds a scalable AppSec program that benchmarks and demonstrates a reduction of risk over time.  It also aligns with the development process which is key in getting developers to adopt security practices.

If your organization is considering a digital transformation and looking to implement MPT or automated scans, we can help. Veracode and our channel partners can help you build out a program that meets your needs. Visit our product page to learn more.