If you’ve been involved in software development in recent years, then you should be aware of the term “Penetration Testing”.
Penetration testing (or pentest) is as popular as ever. I continue to find organizations that spend a lot of money on pentest as their primary means of security, testing periodically while they are in production, yet they are still hacked constantly.
New digital technologies and modern computer platforms allow organizations to rapidly deliver new products and services, create agile business models and revenue streams and enhance operational efficiency.
However, deploying changes faster is a double-edged sword. Consider for a moment what happens when changes contain bugs – or security issues? If there are no systems in place to guard against flawed changes being released, we risk bringing our systems down much faster too.
In this challenging software environment, businesses require a new approach: annual audits are no longer enough. In this article, we explain how you can merge manual penetration testing with automated security testing to improve your security.
New techniques for modern applications
Combining manual penetration testing and automated security testing results in a comprehensive and effective approach to safety. Although they are different, they are not mutually exclusive.
In-depth manual pentests weed out complex attack vectors. However, the amount of code pushed live every day poses a challenge as it is increasingly difficult for security teams to keep track of the latest threats. With the help of automated tools, problems can be discovered before the new code goes into production.
What are the benefits of combining annual penetration testing and automated security testing?
By using automated tools, developers can identify and solve security problems throughout the development cycle. So, while your development team solves the security problems before implementing production updates, the pentesters will concentrate on complex vectors, optimising time and cost.
How can you automate your security testing?
If you have an expert on your team or some free time in your sprint, you can integrate on-premise and open-source tools such as Nessus, Acunetix, Vega, OpenVas, etc. to improve the security of your platform.
These tools have different approaches to computer security, and companies often use several solutions to test their security from every point of view.
First you must create scripts that communicate with each tool through its API. Then you can automate scanning and reporting; you can do this with Jenkins, Cron Jobs or by integrating a Webhook Callback in the Pipeline of Continuous Integration.
This process is time consuming, it requires analysis of each solution and development of new scripts to adapt each tool. Integrating multiple tools is a challenge and a continuous exercise.
As an example of one possible integration, you can use this code developed in Python to perform vulnerability scans using OpenVAS.
Most commercial tools are expensive to license and generally depend on an in-house server, so there is no solution that allows small and medium-sized companies and developers to get quality results at a low cost. Most of these technologies were developed before the rise of agile methodologies in the development cycle, so project delivery times are often affected, or companies have the dilemma of delivering a project and then building security later (which is often not done).
Aside: Hackmetrix
Hackmetrix performs fully automated tests to identify security issues on your web application. We integrate the best tools on the market, both open-source and tools developed by our team, that succeed where traditional tools fall short.
Developers typically have an extensive backlog of things to do and security testing often falls between the cracks because of limited time. It’s also near-impossible for any single developer to manually security test their code while keeping up with the latest vulnerabilities. By using automated tools, Hackmetrix helps catch security issues before every new release and as part of a developer’s normal workflow.
The best part: you can start for free.
What’s next for Hackmetrix?
Our team is constantly working on new features that facilitate integration with multiple tools used by modern development teams. We also work hard to improve our descriptions of the issues found, so you can understand them without needing to be an expert in security. Some of the features we are developing are:
Authentication: Let our service authenticate on your website using basic authentication or customise cookies to use them for authentication.
Export: Export all vulnerabilities as a summary or as a full report in JSON, CSV and XML format to share and store information, or integrate the results into log management tools like Splunk.
Development API: We think security should be easy to integrate into the development process and our API does just that by allowing you to easily trigger scans and get Hackmetix data.
Multiple Plans: The Hackmetrix team works constantly to create different subscription models. We know that our users have different needs and we want to offer a personalised experience for each one, starting with our free plans.
Duplicates and False Positive Detection: We invest a lot of time working with false positives to generate cleaner and more accurate reports.
Here you can see our latest release!
Update 11/5/2018: As of today all of these features are available on Hackmetrix! We added a new type of plan, Essential, that will cover all your needs as you work on your app, and kept a Custom offering for users who need a large amount of scans. Starting with our Free plan you can have access to our development API, and Essential and Custom plan customers will be able to scan apps as a logged in user and export their scan results. We also keep working on detecting and reducing duplicates and false positives to improve user experience across the board.
Conclusion
With the tools presented in this article you can apply Automated Security Testing to much more complex projects. You could even try tools similar to those used here, such as different scanners, or new libraries.
We look forward to seeing what you will build. Cheers!.
