Penetration Testing vs Automated Scanning – A subject that comes to light quite often.
Sometimes seen as equal among businesses looking to improve their security, it couldn’t be further from the truth.
Many people believe that an automated scan of their assets is enough to tick the boxes on frameworks. Frameworks such as ISO27001, PCI-DSS and HIPAA separate the two into distinct categories.
These frameworks segment both penetration testing and automated scanning so that both are required to tick the boxes.
Automated scanning of network and web applications gives the user an understanding of the vulnerabilities that they are open to.
A penetration test on the other hand is undertaken by a qualified individual. Usually from an external team, they look for vulnerabilities and weaknesses that automated scanning tools can’t pick up on.
A penetration tester may use pieces of software in their day-to-day work such as Metasploit. It must not be mistaken for running an automated penetration test.
The day of outsourced security services
We see lots of companies cropping up right now that are offering penetration testing services. You need to be careful with who you are allowing to do this work.
There have been reports of penetration testers that are just running automated scans on infrastructure and web applications. They produce an automated report whilst claiming they have conducted a full penetration test.
A penetration test should involve looking at social engineering weaknesses, and weaknesses in business logic that automated scanners can’t pick up. In addition to this, they look for zero-day vulnerabilities that are not in the scope of automated scanners.
So if a penetration test does more than automated scanning, why aren’t we just using penetration testers?
Penetration testing is supplementary to automated scanning.
Scanners can pick up vulnerabilities at a much quicker rate than a manual penetration test can. It looks at different things to what a penetration tester would look at.
Penetration testing isn’t an automated process but instead a time-consuming exercise that can’t run 24/7. Whereas a scanner can be left to run continuously and look for vulnerabilities.
Penetration is typically an expensive exercise that is done ad-hoc.
What is the benefit of automated scanning?
Automated scanning is exactly what it says on the tin. It’s an automated process that is not human intensive that runs in the background whilst you continue with your work.
Scanners pick up on the structure of networks and web applications whilst mapping out where vulnerabilities are.
This process is sometimes referred to as automated penetration testing and should be the baseline of any organisation looking to secure their assets.
The first step in automated scanning is to give us a picture of our attack surface.
The scope of the vulnerability scanners depends on the tool that you are using. In reality, you should be using a tool that picks up vulnerabilities from various segments of the organization.
We should be doing continuous scanning of web applications, and networks and also looking at misconfiguration of cloud services.
A good tool will also provide some form of vulnerability management so you can confirm what has been remediated.
You also need to understand the risk scoring of the vulnerabilities that have been found along with the impact if exploited.
How often should we do our scans?
There is no set guideline in the standards except for it is a requirement to perform periodic scans for vulnerabilities on web assets and network infrastructure.
There are two segments for testing for vulnerabilities one is manual and the other automated.
We have known people who buy scanners just to have a scan once per year to comply.
If you want to maintain security though, we recommend that you do continuous scanning of network and web assets to ensure you are completely up to date on the state of your security posture.
Integrating vulnerability scans into Your Workflows
The easiest way to continuously monitor for vulnerabilities is to truly automate the process by integrating it into your workflows.
For web applications, this means integrating the scanner into your CI/CD environment and triggering scans at certain stages in the pipeline.
After every code change, when the code is pushed into production, a scan should be triggered.
Good tools will do this in the background and issue notifications via email to the person responsible without them even knowing that the tool is there.
As soon as vulnerabilities are re-mediated, it should do a new scan to confirm the fix and issue a new report.
Code shouldn’t be pushed to production until all vulnerabilities have been dealt with or they have been marked as ignored or false positive within the tool.
Network scanning should be incorporated into your workflows and have a continuous element to it so you have a complete understanding of the picture of your security posture.
Using 3rd parties to monitor vulnerabilities
Many companies don’t have the skills to do their own vulnerability management and assessment and thus outsource this to third-party companies such as MSPs and MSSPs.
MSPs can do the monitoring part and produce ad-hoc reports to you so you understand how secure you are.
MSSPs often provide penetration testing services on top of the automated scanning which is more expensive than doing an automated scan.
If you are concerned about your security posture and don’t feel that you have the skills to remedy this, we can put you in contact with one of our MSPs that use Resilient X to manage their customer’s security posture.
