Striking the Balance between Automation and the Human Touch in Penetration Testing


Posted on

Navigating how to reap the benefits of automation and when to use manual processes is an age-old cybersecurity challenge. How can organizations achieve efficiencies without the support of automated technologies? How can they ensure they’re getting the most thorough coverage without the human touch? In my opinion, it isn’t an either-or. Organizations need both automation and manual strategies to ensure their assets are protected from cyberattacks, and there is much to learn from the penetration testing community.

Pentesting is a great example of the importance of collaboration, not only between humans, but also between humans and machines. Penetration testing can be a balance of automation and manual efforts so that a cybersecurity program pays dividends. First, let’s understand the benefits (and potential limitations) of using the different approaches alone.

Automated Penetration Testing

Automated-only pentesting creates a lot of noise. We’ve seen automated scans of applications or networks return hundreds of unvalidated or false positive results. To go through those results—to know which vulnerabilities need attention and which don’t—takes a lot of effort from development or IT teams. This process is administrative in nature, as someone has to weed through the results and dedupe, correlate or remove all of the false positives. Removing that “noise” before it gets passed down is critical for effective remediation. Notably, automated testing is not a full-coverage solution, and if the tool can’t provide full coverage, there inevitably will be vulnerabilities that will not be found. And if there are systematic issues that need to be addressed, they don’t become apparent to machines. You can’t fix what you don’t see. Both of these situations could lead to giving organizations a false sense of security.

Manual Penetration Testing

Importantly, manual penetration testing will achieve more coverage than an automated-only approach, it just takes longer. Humans are able to find more critical and high findings that automated tests can’t uncover, and then they can apply business logic to design flaws. Without manual testing, there wouldn’t be visibility into results, as humans are adept at identifying patterns and relationships to best understand if there are systemic issues within the environments that need to be addressed and other patterns within the results that need action. However, when penetration testing is all done manually, it’s very expensive.

How to Balance Automation and Manual Efforts

Automation complements manual pentesting efforts, not the other way around. While companies need to address large volumes of vulnerabilities and develop strategies to remediate them, most security teams are faced with doing more with less due to budget restrictions, lack of resources and other constraints. Automation is critical for handling mundane or repetitive processes to free up time for humans—pentesters, developers and others—to exercise their creative minds. As in any industry, automation enables people to perform at their highest potential. When used correctly, it becomes a force multiplier. But, again, it won’t find all vulnerabilities. In fact, a recent internal NetSPI study provides demonstrable measures on why manual penetration testing is necessary: 37% of critical vulnerability discoveries were found through automated scans, while 63% were found through manual pentesting.

If you’re thinking to yourself, “I’m doing fully automated today, how do I evolve into an automated plus manual vulnerability management program?” it’s really about finding a partner that’s going to help enable that evolution with you. There are many things that come into play including answering: How are penetration testers going to interface with any technology that you have? What are your systems of truth? What are the inputs and the outputs from each? Where does the data go? Who is going to be doing those manual efforts? What skill sets do they need? Are there people that you can find and hire? Finding a partner that can help enable the integration of manual pentesting into your business is key.

Without the human touch, organizations are going to have to optimize and fine-tune technology and automation to give them the most coverage possible—and then accept the fact that there is risk, as there will be vulnerabilities that won’t be uncovered. On the other side—without automated technology and implementation of a manual-only approach—organizations can’t achieve efficiency, unless they’re willing to invest in more and more humans. A combination of technology and the human element is going to be the future of getting value out of any sort of vulnerabilities management initiative to best protect your organization from bad actor attacks and potential threats.

Human Element

penetration testing orchestration & automation

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community