Flavijus Piliponis â stock.ado

Tip

Introduction to automated penetration testing

Automated penetration testing, which speeds up the process for companies and vendors, is maturing. Is it ready to close the time gap between vulnerability discovery and mitigation?

Many IT security consulting companies provided manual penetration tests over the past few decades. This service traditionally consisted of a group of well-trained security professionals armed with hacking tools and exploits. Their goal was to probe corporate infrastructure entry points to identify vulnerabilities and gaps that need to be fortified.

While manual pen tests remain the most widely deployed, automated pen testing has started to mature as a second option. Automated pen testing seeks to speed up procedure, while simultaneously reducing costs.

How does automated pen testing work?

Automated processes aren't new to IT security. Pen testing tasks have remained largely manual, however. Although pen test scanning and hacking tools are often automated, the challenge resides in identifying where along the infrastructure border they should be targeted.

This skill is not easily automated as it is a calculated process that must consider external factors, including the type of business being tested, the structure and buildout of the network, and what apps and services are exposed to the outside world. Think of pen testing professionals as detectives. They use tools and methods to gather important information, which is used to identify potential security weaknesses. This time-consuming process can take days, weeks or months to complete.

Vendors have started integrating automated processes into their pen testing tools. They want to speed up the probing and analysis process to accurately collect relevant data. This frees up security professionals to place their focus elsewhere. In many cases, AI is sophisticated enough to mimic the processes of a manual pen test to quickly identify vulnerabilities. This information can then be used to quickly remediate the identified security risk or risks.

What are the benefits of automated pen testing?

Automated pen testing provides companies with a faster security report at a lower price. An automated penetration platform can be pointed toward a client network and perform scanning, probing and analysis around the clock with little oversight. Automation can also be applied to organize reports by severity of issues to address. In theory, a thorough automated pen test can be completed in significantly less time compared to manual pen tests.

AI has rigid processes and procedures any pen testing tool must follow when running scans and analyzing results. The results of these tests are highly repeatable with little variation between results. In the infosec world -- especially from a regulation and compliance perspective -- this trait is desirable.

There are even ways to make automated pen tests even cheaper. Cost savings are largely gained by not requiring highly paid security professionals to execute tools and perform high-level analysis of the results. AI-backed tools have become adept at doing this for known security exploits and vulnerabilities. While automated pen test services are not exactly cheap, they often are less expensive than human alternatives when the time savings gained with automated testing platforms are factored in.

Are automated pen testing tools ready for enterprise use?

Automated pen testing platform vendors and service providers claim their platforms and services can figure out what hackers will target thanks to AI. While AI may eventually be able to accomplish this at some point, many still regard these types of systems as inferior to traditional, human-based tests.

The ability to mimic the human brain to perform highly complex and often imaginative tasks is quite challenging for computing systems originally built to operate in a binary mode. Automated pen testing platforms can indeed replicate some tasks a human pen tester does within a fixed set of parameters and when looking for known vulnerabilities and exploits. When it comes to new methods, avenues or outside-the-box thinking, however, nothing compares to a manual pen test.

The most beneficial part of automated pen testing is it can handle more repetitive and basic tasks, freeing up security professionals' time. Expect automated pen testing tools to be used in hybrid deployments alongside manual testing. The combination still speeds up the testing process at a lower cost. At the same time, this approach ensures security professionals investigate where the automated platform cannot.

Dig Deeper on Security analytics and automation

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close