The benefits of manual penetration testing

Protect yourself against cybercrime risks
Protect yourself against cybercrime risks

Website attacks may go unnoticed for months as hackers steal confidential information. The financial losses and reputational damage from a potential breach are spurring organisations on to protect their web applications. Here we find out from Ilia Kolochenko, CEO of High-Tech Bridge and Chief Architect of ImmuniWeb, how to keep your website safe in 2015.

TechRadar Pro: What tools are organisations turning to in order to protect their websites?

Ilia Kolochenko: When security breaches fill the news with stories of stolen customer data and website failures, organisations typically turn to automated scanners. And this overreliance on scanners is leaving organisations in a vulnerable position. Unfortunately, there is still a common misconception that fully-automated website vulnerability scanning brings the same results as manual web application penetration testing.

TRP: Why do we still need manual penetration testing?

IK: The need for human skills was recently demonstrated by a major new analysis (reported by Ars Technica) conducted by the universities of KU Leuven (Belgium) and Stony Brook (New York).

The researchers tested websites "protected" with various trust seals provided by security vendors delivering automated vulnerability and malware scanning services – reputable companies including Symantec, McAfee, Trust-Guard, and Qualys.

The research showed "that seal providers perform very poorly when it comes to the detection of vulnerabilities on the websites that they certify." This is a weakness inherent in almost all fully-automated solutions – they can only go so far before their output needs to be analysed by a qualified pentester (penetration tester).

TRP: Tell us how vulnerability scanning works?

IK: Vulnerability scanning can be very cheap or even free, while penetration testing can be considered quite expensive and time-consuming to plan and execute. However, penetration testing brings significant added-value in comparison to all types of malware or vulnerability scanning currently on the web security market.

In fact, today almost anybody can do vulnerability scanning: you just need to download any of a number of vulnerability scanners – some quite excellent – and run them against a website. They will generate an automatic report providing numerous actual and potential vulnerabilities and weaknesses – and probably a number of false positives as well.

False positives are time-consuming – you need to verify every single issue the scanner detects. Much worse are false-negatives – existing vulnerabilities that automated solutions miss, leaving systems vulnerable and giving website administrators a false sense of security. Some automated solutions may assign a medium risk to 403 or 500 error pages returned by the web server (that are not vulnerabilities, just error pages).

Finally, website administrators, under strain from heavy workloads, start ignoring all medium-risk vulnerabilities from daily scanning reports. As a result they miss important information about real vulnerabilities that deserve their attention.

TRP: Which companies should be using vulnerability scanners?

IK: Security scanners are probably a must-have tool for large companies that perform some of security testing internally, relying on in-house security professionals who are capable of verifying and completing the results of an automated scan. Automated vulnerability scanning can also be very useful to keep internal teams up to date about the general state of their web applications.

However, automated solutions and security scanners are not capable of replacing a penetration test. They are not suited for SMBs as well, neither for projects where companies need both rapidity and the highest quality of security testing.

TRP: What are the advantages of manual penetration testing?

IK: True pentesting starts from where a vulnerability scan finishes. A pentester will take the reports from probably several different scans and use his personal skills and experience to weed out the false positives, and identify missed vulnerabilities.

In particular, he is likely to recognise the weaknesses in the business logic, which scanners cannot efficiently detect, and see how otherwise minor technical flaws can be chained together to effect a major breach. A recent example of application logic flaw is Alibaba's website, where a tiny bug exposed the most sensitive information of millions of users. Another recent example is a similar vulnerability in the Delta Airlines website, where URL manipulation allowed access to anyone's boarding pass.

Another example of the vital need for a deep level of IT and security expertise comes with a scanner's discovery of a vulnerability. The vulnerability is probably already known to the security team and remains unpatched for a "good reason" – in some cases a patch for the vulnerability may threaten functionality of a critical business process. It is a frequent case in large companies, where many critical products are developed in-house or outsourced, and suffer from various compatibility issues that prevent systems being kept up to date.

In this case, a scanner will probably just generate generic information about a patching technique. A qualified pentester, however, is capable of understanding the business needs and processes of the customer, and will probably suggest an appropriate solution that will not impact business continuity, and if not fix the vulnerability, then at least prevent its exploitation (by adding additional rules to the Web Application Firewall for example).

TRP: How accurate are vulnerability scanners?

IK: In our experience, most scanners can probably find only about 40-60% of the vulnerabilities in web applications. It's not a problem with the scanning technology – a scanner could probably be developed for a particular application, platform or framework capable of finding 99% of the vulnerabilities specific to the application.

However, taking into consideration the great variety of web technologies that exist today, it is impossible to develop a universal scanner that will efficiently detect vulnerabilities in all types of web applications. Human expertise is required here.

TRP: What are the limits for web penetration tests?

IK: Web penetration tests also have their limits. For example they cannot prevent a website admin PC from being hacked, with the aim to steal FTP or SSH credentials to infect the website with malware later on. However, malware can be identified very quickly with daily malware scanning.

Vulnerability scanning should be used for continuous security and integrity monitoring, while penetration testing should be used to properly identify all the existing vulnerabilities and weaknesses, and develop reliable fixes for them. This is where continuous daily monitoring combined with quarterly penetration testing is the most efficient and effective way to keep a website secure.

TRP: Where do you see the future of web security assessment?

IK: As a solution to the gap between automated and manual security testing, High-Tech Bridge has launched ImmuniWeb SaaS this year – a hybrid approach to web security testing.

ImmuniWeb combines manual and automated web security testing suitable for all types of businesses, regardless of their size, geographical location or internal skills. The high speed and large-scale of automated testing combined with human expertise and experience accurately detects the most complex security flaws missed by scanners and other automated solutions.

Moreover, ImmuniWeb auditors provide our customers with personalised solutions suited to their business and technical needs.

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.