The value of automated Security Tests
I think that I should speak up how I feel about automated security tests. I don’t think that this post will bring much value to you but at least you will be able to see what it feels like from the field. I will try to keep my thoughts short and clean and emphasize on the main points without going too much out of scope. I think that this topic has been already widely discussed so there is no need to waste more time on it. Everyone should make up their own mind.
I personally believe that there is a place for automated security tests although I wont recommend them to anyone who is serious about their security. Automated scanners are only good for identifying vulnerabilities in a bulk manner following predefined types of patterns. We already know that unless we come up with an AI (Artificial Intelligence) type of software we will never be able to provide that much of a value here. The problem is not whether scanners can identify vulnerabilities, the problem is whether they are conscious enough (to have the right amount of semantics and pragmatics) to define these vulnerabilities, to zoom OUT and IN and as such provide global view and more fine-grained one depending on the scenario or the test case.
A lot of the scanning vendors reason that scanners can identify all issues of a given type and this type of service usually cost less and it is performed a lot faster when compared to the service a h4kur can provide, which obviously will cost a lot more and will require a lot more time. They are right! There is no doubt about that. Though, we should decide on the motivation of getting a security test on first place. Why do we need it? What are we trying to achieve by getting it?
If you are a software vendor, automated scanners should definitely be part of your products’ lifecycle. If you are a system administrator, you depend on automated security tests in order to reduce the burden of managing such a huge work load on your own. However, if you are an organization which is interested in knowing your real security level, you should probably run away from automated security tests and hire some good penetration testers.
I’ve mentioned earlier that scanners lack the ability to provide sensible picture based on the gathered data. Simply put, the scanner will craw, scan, prob and report but nothing more. On the other hand, a skillful attacker won’t be able to provide you with the level of detail a scanner will, but will be able to give you a lot better description about the current security state of your systems. The attacker will be able to identify the weakest points of your network or application and as such give you more value for your money. In comparison to scanners, this approach is a lot more valuable because scanners will only list vulnerabilities based on their severity level. Keep in mind that HIGH risk issues are not often those that needs to be fixed first, not to mention the fact that successful penetration of a given organization often relies on combination of tricks, which is something scanners cannot come up with.
I will stop right here since I find this topic not very much for my taste, though I’ve been asked so many times so I through that I can easily refer to this post as soon as I need it. The main principles is to follow your needs. I would personally employ people since they can provide me with the intelligence which is a lot more valuable. Scanners will be the last thing on my mind. They may help you with hardening the perimeter (something very important btw) but they will most probably mislead you if you trust them too much. That said, I am done on this topic.