Manual Assessments are the hackers’ best friend
What is a manual security assessment?
An assessment of IT assets executed manually, one by one is called manual assessment.
These assessments can be conducted on the cloud, mobile applications, web applications, networks, and devices.
We receive a lot of questions from students and blue team professionals asking why we need to have manual assessments when there are automated scanners doing the job. These scanners are too expensive and developed by giant companies with solid research and still why manual assessments are insisted on?
Legit. The concern is legit, however, scanners are great up to some extent. They cover most of the issues however, several high-severity bugs are missed.
Why Automated Security Scanners Fail?
To understand this, let’s dive deeper into how pen testing is done.
Penetration Testing includes 2 aspects: 1. Coverage. 2. Vulnerability Discovery. Automated scanners are not a complete solution in both scenarios.
Security Issues scanners miss:
– Less coverage
– Chances of high false-positives
– Miss the business logic issues
– Miss the Information Disclosure Vulnerabilities
Scenario 1:
Coverage includes finding every corner of the application and noting it down (in any form) to refer to later in the pen-testing stages. There will be some parts of the application that remain unassessed which be prone to attackers if not done with a proper strategy for that application.
Automated scanners can miss this and there are chances that some stones may remain unturned. Though a lot of parts are covered but missed too. Here’s where the manual assessment’s role takes place.
Scenario 2:
Vulnerability Discovery includes hunting for security issues in the target. Scanners do miss security issues. Yes, you heard that right, scanners do miss issues hunting for vulnerabilities. PS: We are not talking about false positives. This may lead to exploitation, of course.
Though automated scanners are good, however, if you really want to get the best out of scanners, you should know how to configure them properly and that is the reason we always say: “Scanning is an Art”.
Scenario 3:
Logical issues are fairly missed by the scanners. Each application is different and varies according to the business requirement. A business logic vulnerability is a flaw in the design and implementation of an application that allows an attacker to cause unintended behaviour. This could allow an attacker to manipulate legitimate functionality to achieve malicious goals. These flaws are usually due to the fact that abnormal application conditions that may arise are not anticipated and, as a result, are not safely handled.
Scenario 4:
Scanners often miss information disclosure vulnerabilities. We did a security assessment for one of the Hong-Kong based organization where we were able to find hardcoded sensitive information in the website javascript where we were able to log in to the application without having any username and password. It is impossible to have such findings from a
For all the above reasons, we believe manual pen testing and automated scanning conducted parallelly give the best engagement results. Ownux does this for you. adopts an abridged version of the PMBOK concept to standardize the management practices for all our Penetration Testing projects.