Manual penetration testing (pen-testing) is increasingly challenged by automated methods of vulnerability discovery and management. The reasons are not difficult to understand: the cost and coverage of manual testing is too high and too limited.
A new survey of more than 100 IT and security managers involved in the pen-testing practices of companies with more than 3,000 employees provides more details. The survey was conducted by Informa Tech on behalf of CyCognito.
The survey/report indicates that the primary reasons for conducting pentesting are to measure the company’s security posture (70 percent), and to prevent breaches (69 percent). It is clear from other responses, however, that there is widespread concern over whether pentesting can deliver on these requirements.
The main concerns are that pentesting does not cover the entire infrastructure, leaving blind spots (60 percent); it examines only known assets rather than discovering and testing assets that may have been forgotten, or not recognized, in cloud environments (47 percent); the cost of pen-testing is too high for it to be used extensively (44 percent); and, related to the cost, the results of pen-testing provides just periodic snapshots in time that might no longer be accurate the day after the testing (36 percent).
These concerns are not a criticism of the pen-testers themselves. Pen-testers still provide, says CyCognito, “a valid way to surface some vulnerabilities in specific, scoped portions of an attack surface at a single point in time.” Pen-testing is conducted by skilled professionals who bring human creativity to complex challenges.
The implication of this statement is that manual pen-testing still has a place in testing the security of perhaps the customer’s most important assets; but only as an addition to overall attack surface automated monitoring.
The primary reason that pen-testing cannot be extended ..