Security Experts:

Death of the Manual Pen-Test: Blind Spots, Limited Visibility

Manual penetration testing (pen-testing) is increasingly challenged by automated methods of vulnerability discovery and management. The reasons are not difficult to understand: the cost and coverage of manual testing is too high and too limited.

A new survey of more than 100 IT and security managers involved in the pen-testing practices of companies with more than 3,000 employees provides more details. The survey was conducted by Informa Tech on behalf of CyCognito.

The survey/report indicates that the primary reasons for conducting pentesting are to measure the company’s security posture (70 percent), and to prevent breaches (69 percent). It is clear from other responses, however, that there is widespread concern over whether pentesting can deliver on these requirements.

The main concerns are that pentesting does not cover the entire infrastructure, leaving blind spots (60 percent); it examines only known assets rather than discovering and testing assets that may have been forgotten, or not recognized, in cloud environments (47 percent); the cost of pen-testing is too high for it to be used extensively (44 percent); and, related to the cost, the results of pen-testing provides just periodic snapshots in time that might no longer be accurate the day after the testing (36 percent).

These concerns are not a criticism of the pen-testers themselves. Pen-testers still provide, says CyCognito, “a valid way to surface some vulnerabilities in specific, scoped portions of an attack surface at a single point in time.” Pen-testing is conducted by skilled professionals who bring human creativity to complex challenges.

The implication of this statement is that manual pen-testing still has a place in testing the security of perhaps the customer’s most important assets; but only as an addition to overall attack surface automated monitoring.

The primary reason that pen-testing cannot be extended across the entire attack surface is cost. Seventy-nine percent of the respondents said that pentesting is costly, with 78 percent saying that cost prevents the testing of all apps, and 76 percent saying that the cost prevents more frequent testing. To put these costs into perspective, 12 percent  spend more than $1 million annually on pen-testing, while another 8 percent spend between $500,000 and $1 million. 

Thirty-five percent spend less than $100,000 – and it is open to conjecture whether minimum pentesting is being done simply to comply with regulations that require it. Noticeably, ensuring compliance was the third most common driver for pentesting, at 65%.

Apart from cost, coverage is also a concern with manual pen-testing. The biggest concern, at 60 percent, is that it only provides limited test coverage over a portion of the attack surface, leaving behind too many blind spots. Forty-seven percent of the respondents were also concerned that their penetration tests look at only known assets and don’t discover new or unknown ones. 

In fact, 47 percent of the respondents believe that pentesting covers less than half of their company’s attack surface. Thirty-eight percent believe it covers more than 50 percent, with the remaining 10 percent not knowing.

This lack of coverage extends to time as well as attack surface. Because of the cost of pen-testing, it can only be done infrequently. A company that has a good security posture and is in compliance on the day of the testing, could have a poor posture and be out of compliance within days of the test. 

In reality, the company may never get a true picture of its security posture from pen-testing since in 24 percent of cases, it takes more than 2 weeks from testing to receipt of the tester’s report. During this time, new vulnerabilities could be introduced with no possibility of them being found by the tester.

It is clear that the size of digital infrastructures – which is continuing to increase with the process of digitization – the growth of cloud-based assets; and the movement towards dispersed assets through the new work-from-home (WFH) paradigm, means that manual pentesting is nowhere near capable of protecting the modern network. Although CyCognito does not specify the need for automated security testing, its description of what is required cannot be achieved with automated software testing.

This is, “The approach needs to enable continuous discovery of all attacker-exposed assets across the organization and in closely related environments such as those belonging to subsidiaries, partners, suppliers, and cloud service providers.”

Rob Gurzeev, CEO and co-founder of CyCognito, adds, “Security tests should tell organizations what attackers are able to see and exploit so that defenders can prevent breaches. But when companies are only able to see assets they already know about, test just a portion of their attack surface, and do that only a few times per year, preventing breaches isn’t possible. So, the biggest takeaway from this report (PDF) is that what organizations want or are hoping to achieve through pentesting versus what they actually are accomplishing are two very different things.”

Palo Alto, California-based CyCognito was founded in 2017 by Dima Potekhin (CTO) and Rob Gurzeev (CEO). It has raised a total of $53 million, with the most recent from a $30 million Series B funding round in July 2020.

Related: Automated Red Teaming Firm Randori Raises $20 Million

Related: Unearthing the 'Attackability' of Vulnerabilities that Attract Hackers

Related: Automated Penetration Testing Startup Pcysys Raises $10 Million

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.