Manual Penetration Testing A Vital Component of Intelligent App Development

It is a common misconception that because of the prevalence of automated security testing, a manual penetration test will not be necessary for the development of any given app. However, this is not the case.

Even though IT people are trying to tell the world that computers will soon be doing most things that humans do, there will always be things that are best done by human beings. Manual penetration testing, or MPT, is one of these things.

Basically, the purpose of a manual penetration test is to see how secure a product is and how impervious it is to potential hackers.

MPT entails security experts doing tests and simulating attacks by hackers. The purpose of this is to figure out how easy it is for someone to access software and perform various malicious activities. A web application penetration test can protect an online application in this way.

photo/ Cybercrime center at USF

Typically, automated security testing, or AST, is done at two different stages; these are implementation and verification. Implementation entails static application security testing to detect errors in the code while it is being written, until the code is without flaws. Verification entails a dynamic application security testing scanner sending a request that imitates a primitive attack once the code is completed. A response is obtained, and the outcome is analyzed.

This by itself may seem ideal, since a code is being tested, analyze, and verified without work required by humans. However, experience shows that manual penetration is still necessary. MITRE research shows that all of the automated application security tools put together only cover about 45% of the vulnerability types that are known. This means that even if all of these tools are used, which is not possible, only 45% of vulnerabilities will be accounted for.

Anonymous hackers

Automated security codes look for predictable and already to find patterns in code, but they are not capable of screening for: logical and design defects, complex attack vectors, rights separation/access control implementation, architecture defects, and implementation of specific security controls. Manual penetration testing adds human expertise to the arsenal, and it effectively covers the remaining 55% of vulnerability types, meaning everything of which DAST is incapable. MPT done at the right time serves to complement an automated assessment.

Manual penetration tests involve the following components: escalation of user privileges, bypassing authentication and authorization mechanisms, hijacking accounts that belong to other users, violating administrator access controls, corrupting integrity of data and applications, corrupting performance and functionality, altering data, bypassing application session management, bypassing application business logic, and breaking or analyzing cryptography use within components that are accessible to users.

External penetration testing will reinforce critical resources, applications, established security controls, standards and procedures that are meant to prevent unauthorized access, and more. The earlier that MPT is done, the stronger the results will be. If a critical bug is detected just before the release of the product, the entire process might be compromised, and you will actually need to start from scratch on the entire project.

Guest Author: Archie Ward