Find vulnerabilities, that is the job of a security specialist when he starts with a penetration test. A typical penetration test costs around the 10K, so not surprisingly most organisations choose to reduce this kind of tests to once a year. The result of this penetration test is a report with a list of vulnerabilities, often with clear recommendations. Often the results provide organizations with enough actionables to block resources for the rest of the year. The downside of a penetration test being that it is just a snapshot of the day the penetration test is conducted, keeping the organisation in the dark for the rest of the year. What if a new vulnerability is introduced the day after the penetration test?
The answer is automation.
So, you might ask, how can we improve this? Being blind for more than 11 of the 12 months is so to say suboptimal. The answer is automation. Vulnerability scanners of today are getting more sophisticated and can find enough actionables to fill a whole year, just like a penetration test. However, the main advantage is that you create a real time overview of the current situation. A new vulnerability arising one day after a penetration test will leave you ignorant for a whole year, while a vulnerability scanner would alert you immediately. Besides let’s face it, that expensive security specialist will start with the same scanners anyway…
If you want to test your whole infrastructure for security flaws, make sure you have done your homework.
However, this doesn’t mean that security specialists are obsolete. The human factor often finds more vulnerabilities and is able to find logical flaws. For example, if a non-registered user can access the administration panel and even download your customer data, that would be a huge flaw. A skilled tester should find these kind of flaws, but a vulnerability scanner might conclude that the admin page doesn’t have any vulnerabilities, and therefore is secure. If you want to test your whole infrastructure for security flaws, make sure you have done your homework. First scan your network and address the low-hanging fruit. Otherwise the scanning part will consume almost all the time of the specialist and you will end up fixing the vulnerabilities that come straight from the scanner.
The solution might be to choose a hybrid solution.
So, the question is not which one is better, but which one do you need? If you have custom applications, it might be a good idea to have a security specialist to test it, preferably every release. The security specialist will look for flaws that an automated scan might be unable to detect. With Agile development teams that deliver every two weeks a new release, this would be an expensive solution. The solution might be to choose a hybrid solution, for example implementing an automated security scanner that tests your application every release for technical vulnerabilities, and an occasional penetration test which will look for additional flaws.
If you have questions please don’t hesitate to contact us.