Automated analysis tools excel at finding certain types of vulnerabilities — from cross-site scripting flaws to SQL injection and from misconfigured security headers to remote-file inclusion — but humans continue to be necessary to evaluate the severity of such flaws, according to an analysis of 2,500 penetration tests released on June 9.
In its annual "State of Pentesting 2020" report, security-services firm Cobalt.io found that about two-thirds of its penetration testing engagements involved testing either web applications or web-based application programming interfaces (APIs), with misconfigurations topping the list of security threats discovered in 2019, followed by cross-site scripting and authentication issues. Automated security testing continues to be an efficient way to find these issues, especially as 37% of application security practitioners have to deal with weekly or daily release cadences, the report states.
Yet humans are still needed to find more nebulous classes of vulnerabilities, such as business logic bypasses, race conditions, and attack chains that involve exploitation of multiple vulnerabilities, says Caroline Wong, chief strategy officer for Cobalt.io.
"Anyone who is only using people is missing out of efficiencies that can only be found by machine, and anyone that is only using machines is missing out on whole classes of vulnerabilities," she says. "Use scanners to find your low-hanging fruit, and then use that information to provide context for analyzing the risk posed by those issues."
The survey underscored that certain issues remain for automated scanning for vulnerabilities, including tuning the analysis and testing systems, triaging vulnerabilities, and providing additional context as to the risk that a pa ..
Support the originator by clicking the read the rest link below.
