By Nazar Tymoshyk and Stanislav Breslavskyi
We are living in the era of automation, and the IT industry keeps telling us that computers will soon gulp up the majority of human-performed tasks. Still, there are some things that will always be best accomplished by humans. In the security world, manual penetration testing (MPT) is at the top of the list.
In this article we will tell you why it is so critical to perform manual penetration testing and on what stage, how it differs from other security activities and hacking, and why forgoing it may cost you a fortune!
Manual Penetration Testing in the Secure SDLC
Put simply, manual penetration testing is carried out to identify how secure a product is and how resistant it is against hacking. If you underestimate the power of MPT, your product has a high chance of being hacked.
Let’s get straight to the point about when and where it should be applied.
MPT involves one or more security experts performing tests and simulating "in the wild" attacks. The goal of such testing is to determine the potential for an attacker to successfully access and perform a variety of malicious activities by exploiting vulnerabilities, either previously known or unknown, in the software.
A standard Software Development Lifecycle (SDLC) looks as follows:
With a properly thought-out security program for your SDLC, the number of defects should decrease from phase to phase. As a rule, automated security testing (AST) is conducted at two stages:
- Implementation: In the process of code writing, static application security testing (SAST) detects errors in the code, until it is flawless;
- Verification: When the code is ready and the software is under development, a dynamic application security testing (DAST) scanner sends a request imitating the most primitive attacks, gets a response and analyzes the outcomes.
In the short run, it looks like a perfect scheme: A code gets tested, analyzed, and verified automatically, so why bother with some kind of manual penetration? The crux of the matter lies in real-life experience.
According to MITRE research, all the claims of vendors providing application security tools put together cover only 45 percent of the known vulnerability types. The overlap between these tools is not that large, so to get 45 percent you`ll need to use them all (assuming their claims are true). Since no software developer could feasibly use all of the existing application security tools in their testing, there are bound to be some exposed vulnerabilities left in your program.
Human vs. Machine Security Testing
In the course of automated security testing, security tools typically look for already defined and predictable patterns in an application code, but they do not search for:
- Logical and design defects
- Rights separation, access control implementation
- Complex attack vectors
- Defects in architecture and implementation of specific security controls
Manual penetration testing adds the benefit of specialized human expertise to automated static and dynamic analysis. It uses the same methodology cyber-criminals use to exploit application weaknesses (such as business logic vulnerabilities). A manual penetration tester plays the part of an attacker trying to exploit the very logic of the software, looking for unknown weaknesses and being concerned only with unexpected results.
In other words, a manual penetration tester is capable of doing everything that is out of DAST’s hands: if DAST is working according to the request-response principle, a manual penetration tester is directly involved in the process of penetration and may project the outcomes of it.
Manual Penetration Tester's Responsibilities
So coming back to the 45 percent share of bugs covered by AST, a manual penetration tester is responsible for the remaining 55 percent and can uncover even the slightest item in design and logic, which may cause failure of the whole system. Timely applied MPT complements and extends an automated assessment. The scope of manual penetration testing includes:
- Bypassing authentication and authorization mechanisms
- Escalation of user privileges
- Hijacking accounts belonging to other users
- Violating access controls placed by the administrator
- Altering data or data presentation
- Corrupting application and data integrity, functionality and performance
- Bypassing application business logic
- Bypassing application session management
- Breaking or analyzing use of cryptography within user accessible components
Manual Penetration Testing: Final Thoughts
The results of manual penetration testing will help strengthen the established security controls, standards and procedures to prevent unauthorized access to the organizational systems, applications and critical resources. The earlier you schedule it, the better results.
Otherwise, detecting a critical bug shortly before a release may ruin the entire process of product development and the only way out will be to start everything from scratch -- this time with manual penetration testing at the top of your mind.
Nazar Tymoshyk and Stanislav Breslavskyi are both security engineers at SoftServe Inc. and are regular contributors to the SoftServe United blog. Nazar holds a Ph.D. in information security from the State University, Lviv Polytechnics and is an expert in multiple security disciplines including computer forensics, malware analysis and intrusion detection. Stanislav is also a graduate of the State University, Lviv Polytechnics with a bachelor’s degree in information security. Stanislav focuses on network solutions development, specifically security-related development.