Automated penetration testing

Automated penetration testing

Automated penetration testing plays an important role in the toolkit of security professionals. As part of a comprehensive security program, these tools can quickly evaluate the security of systems, networks, and applications against various threats. However, security professionals should regard it as a supplement to the traditional manual testing technology, rather than an alternative.

What is automated penetration testing?

During Penetration Testing, security professionals conduct deliberate attacks in systems and applications to determine whether unauthorized access is possible. The purpose of these tests is to use the "attacker mentality" and the same tools and technologies used by actual attackers to detect security vulnerabilities. Penetration Testing is widely regarded as the best test of system security because it is the closest to attacks in the real world. The execution of these tests usually takes a lot of time for skilled people to execute, and, ideally, the engineer executing these tests needs to reach or exceed the skill level of a potential attacker.

The high manual nature and high cost of penetration testing lead many enterprises to choose to automate part of the process. The test is still guided by skilled professionals, but many steps are automated to remove the heavy part of the test. For example, testers can use a vulnerability scanner to test whether vulnerabilities exist in a large number of systems. Likewise, they can use automated vulnerability exploitation tools to perform multi-step attacks.

Why use automated testing?

Using these tools provides several key benefits for enterprises. First, frequent scanning increases the detection speed when a new vulnerability occurs. Secondly, automated tools can widely test many known security vulnerabilities in a large number of systems without tedious manual testing. Finally, automated tools reduce the tedious work of highly skilled people, allowing them to concentrate on coordinating tests and using their expertise in the most important areas.

Automated testing tools can also be a key component of IT compliance audit. For example, the Payment Card Industry Data Security Standard (pci dss) requires regular vulnerability assessment on the card processing system. Automation is the only practical way to meet this requirement. However, automation is not a panacea for PCI compliance. The standard acknowledges: "penetration testing is usually a highly manual replacement process. Although some automation tools can be used, testers need to use their system knowledge to penetrate into the environment ."

Select your toolset

The penetration tester's Toolkit should include a wide range of automated tools so that he or she can automate his/her work as much as possible, as well as use manual supplements to automated tools as necessary. These tools should include Network Vulnerability Management kits, such as Nessus, Qualys, or Rapid7. These tools can perform quick and extensive scanning across the enterprise to discover network-oriented vulnerabilities. In addition, penetration testers should use Web penetration testing tools, such as Acunetix or Weblnspect, to detect common security vulnerabilities in Web applications, such as SQL injection or cross-site scripting vulnerabilities.

Finally, each toolset should include the open-source Metasploit framework. This vulnerability information and vulnerability exploitation attack set fills the gap between automated and manual testing, allowing testers to detect vulnerabilities detected by network and Web evaluation tools, to determine whether attackers can exploit them to gain unauthorized access. The basic Metasploit framework is free of charge, and some commercial vendors have developed graphical interfaces and other tools based on the framework.

The automated penetration testing technology can bring significant advantages to security plans. These tools provide quick and comprehensive assessment of system security, which is a good supplement to manual testing technology.