Web Application Automated Pen Testing: What should you look out for?
Pen testing is one of the most useful services in the cyber security world. It allows you to identify different vulnerabilities within your environment and close those holes before they can be exploited by third party. With the insane amount of vulnerabilities generated annually it’s important that organizations practice automated pen testing on regular basis. Just for context, 2016 saw 6,500 new vulnerabilities while in 2017 that number more than doubled to almost 15,000 new vulnerabilities. Automated pen testing can drastically help to close these vulnerabilities in an efficient manner but choosing the right service provider can be tiresome work. We’re here to show you a few things you should look out for when doing making your decision.
Types of Web Application Automated Pen Testing
Whitebox (SAST)
Blackbox (DAST)
Greybox (IAST)
Choose the Right Discipline
When choosing the right type of web application automated pen testing that your organization needs it’s really important to identify why you’re doing it in the first place. For example, Whitebox is good if you’re trying to protect against internal threats due to the fact the test automated pen test is run on your source code. Blackbox on the other hand lies at the opposite end of the spectrum, this simulates automated pen testing from outside your infrastructure. Greybox acts as a hybrid of the two; a good example would be an authenticated user which has access to some back end information that all users do not. Automated pen testing is all about perspective, different perspectives give you different results, case in point:
False Positives- Your Worst Nightmare(Solved)
If you’ve ever been exposed to penetration testing in the past, you’re more than aware that using automated pen testing tools can lead to a world of false positives which can be extremely frustrating to say the least. Some companies claim to have a low false positive rate based on their security research etc however be wary. The way that we deal with false positives is to use multiple tools for a single discipline while combining the results in a single report. In this way we cross correlate information in an effort to reduce the false positive rate in automated pen testing as much as possible. Below is a short list of tools which we use specifically for web application scanning. Note this is not the full list:
Want More Information on Automated Pen Testing?