26 Jan 2017 Do We Still Need Humans for Security Testing? by Artem Metla and Andriy Shevchuk We observe the automation at its full in every aspect of our life. IT industry is not an exception. Security testing as a part of the software development process is a very attractive area for automation, and a lot of efforts had been already made in that field. Does it mean that we get rid of humans in the software testing? When we automate something, do we still need human efforts as an important component of the security testing brew? Artem Metla and Andrii Shevchuk, both Offensive Security Certified Professionals and Ciklum’s Senior Security Engineers, help us make a small journey into the application security testing world, and have a glance at the things as they are today. Pen test as a Legal Hacking – A Bit of Theory Just to be on the same page, we should define a couple of terms. The first, and by far the most common term related to the security testing is penetration testing (sometimes shortened to pen test). The term is quite self-explanatory, but some details could be added for clarification. This boils down to the revealing of the most effective way to hack your system. Frankly speaking, most of us know, this is not the only way, or the most efficient one, however, usually it’s the easiest one from the hacker’s perspective. Penetration tester can discover the security issues and flaws, summarize them and provide the analysis of target related parameters to help the developers work on them and clients to see the work in progress. Pentester should always get a good grip of recent software development approaches, be familiar with a lot of tools, and keep a finger on a pulse of the newly discovered vulnerabilities. On the flip side of the coin, it’s safe to assume, that potential attacker can have a lot of resources (i.e. time, people, computing powers) to break into a target system. Based on this assumption and understanding that the business is always limited in resources, security professionals started to automate efforts to meet tough deadlines. Is Automation a Magic Pill? Take a look at any automated security scanning tool, and you’ll spot bunch of limitations. Among them are: fragile balance between false-positives and false-negatives impossibility to combine issues into attack scenarios lack of understanding of the application logic highly limited possibility to reveal architecture related flaws difficulties with customized permissions schemas, and network protocols analysis Unfortunately, this list is far from being complete. To top it all, the detection patterns for modern tools are under continuous development, and they are still far from perfect.So, we find ourselves with imperfect tools in the imperfect world. What should our answer be to the challenge of keeping things secured? At Ciklum we believe, the most effective way to combat modern threats is to combine our best efforts in automation with the professional work of security engineers and developers. Hire a talented, experienced specialist and trust him/her the most powerful tools available on the market. They’ll work miracles for you! A successful penetration test is like a chess game – thoughtful tactical and strategical moves directed by humans. Even though some moves are often automated. Moving further, we should consider the main factor any penetration tester uses to make decisions – information about the target systems. By taking a hybrid approach to the penetration testing, combining penetration testing techniques with source code analysis, the security engineers can move security testing to the next level. This boosts penetration testing and helps increase its cost-effectiveness, despite the complexity and poor rationale of the problem. Authors: Artem Metla, OSCP (Offensive Security Certified Professional), is the Senior Security Engineer at Ciklum’s Testing Center of Excellence with 6+ years of experience in Penetration testing, SOX compliance, and IT Audit services. Artem was the one managing the Application Security process for DanDomain’s online payment system, the leading Danish web hosting company. Andriy Shevchuk, OSCP (Offensive Security Certified Professional), is the Senior Security Engineer at Ciklum’s Testing Center of Excellence. Andrii has an extensive experience in penetration testing, application security, and information security audits. If you want to keep your software product secure, do not hesitate to contact Ciklum!