Automated scanning tools have their place, but should never be seen as a replacement for manual testing and an effective combined security strategy. We’ve produced a whitepaper explaining why. Below you will find a couple of short snippets from the paper:
What is automated scanning?
Simply put, automated testing is a means to provide breadth during a security assessment to reduce the time and effort required to discover and report on issues.
When performing an onsite security assessment of an internal network, a penetration tester (or security consultant) will likely use one or many of the automated security scanning utilities to identify vulnerabilities on a wide range of target systems in the shortest time-frame possible. This task provides the breadth of coverage usually required when performing an internal vulnerability assessment – ensuring that all devices within scope have been tested for known issues that would allow an attacker some degree of access to the target systems.
How does manual testing differ?
Whilst it would be ideal that all software vulnerabilities could be assessed using a simple scanning tool, the reality is far from this. Automated tests will reliably test for common, well-known vulnerabilities, but lack the capability of testing for domain specific vulnerabilities. That is, if a test does not exist for a vulnerability, no automated vulnerability scanner will identify or highlight it – giving you (literally!) a false sense of security.
Manual penetration testing is led by intelligence and experience. As a penetration tester, it is common to find the same vulnerabilities in disparate systems – so it is a key skill to know when an automated scanner is producing a false positive and how to prove manually whether vulnerability actually exists or not. It is through this process of manual testing that false positives are identified and removed, and “false negatives” are found.
You can download the full whitepaper as a PDF – Click here.