Can penetration testing be automated?
Penetration testing, or pen testing, has long played an important role in the cybersecurity landscape at many companies. However, the rapid evolution of software development practices has meant that traditional approaches to penetration testing may no longer be fit for purpose.
Many modern development practices, such as DevSecOps, depend on the rapid deployment of new code to ensure software remains agile and competitive. Even so, security is no less important just because speed is vital. A single breach - large or small - may result in lost revenue, reputational damage, or regulatory fines.
Although Secure Software Development Practices (SSDF) have helped shore up defenses to an extent, there remain many security gaps that cannot be plugged during the development stage. Instead, a revamped approach to penetration testing is required - one that can match the pace of modern software development. In a world of rapidly evolving security demands, pen testing needs to evolve equally quickly. And automation may be the only way of meeting this need.
Prioritizing security: Pen testing for the 21st century
Traditional approaches to penetration testing focus on consultancy-led security, pen testing delivered by third-party professional service providers. This form of pen testing is often sourced from consultancies offering a variety of pen test services and contracts usually outline a fixed testing schedule of between one and two months following a preparatory phase of four to six weeks.
There are advantages and disadvantages to this more traditional approach to penetration testing:
- Consultancy-led pen testing can help companies fulfill compliance mandates and, as such, secure liability insurance
- On-site testing is offered
- A range of security services can be sourced from the same vendor, with pen testing offered alongside cyber risk advisory and other defense offerings as part of a more holistic security package
- Traditional pen testing can result in long gaps between assessments, there are no real-time assessments
- There is limited collaboration between external pen testers and internal security staff, thus extended time is required to verify results and research resolution steps.
- Manual pen testing may result in static PDF reports, there is no regression testing to verify if remediation was successful
What is automated penetration testing?
In contrast with traditional methods, automated pen testing leverages modern technologies like generative AI (GenAI) algorithms and other machine learning tools to deliver autonomous cyberdefense insights. There’s no need to scan systems manually. Vulnerabilities are located and assessed in real time.
The advantages of autonomous pen testing include the provision of always-on coverage. To achieve this with manual analysis would be prohibitively expensive. Automated testing also delivers the rapid detection and reporting of “known” vulnerabilities, as well as improving efficiency around routine checks and the identification of recurrent vulnerabilities.
Admittedly, it is true that there are some disadvantages to automated pen testing. This includes the fact that many of the autonomous tools it relies upon have a steep learning curve, requiring extensive security and product-specific knowledge. Many of these tools also have limited detection capabilities, which can leave organizations blind to particular types of attacks. False positives can present another issue, especially when the effectiveness of autonomous tools is based on the number of results they produce.
How to assess automated penetration testing tools
Development and security teams have different goals and strengths. Don’t assume that software developers can use tools and practices designed for security specialists. Many engineers are not security experts so if you try to implement tools or practices that require them to think like security specialists, you’re unlikely to see much uptake. A much better approach is to prioritize tools that already align with engineering workflows and methodologies.
Hadrian’s approach to automated testing
Hadrian’s Orchestrator AI autonomously performs penetration testing on a continuous basis. The platform contextualizes assets to understand how an adversary would conduct an attack by fingerprinting OS information, modules, libraries, input fields, authentication methods and much more. This allows Hadrian to identify “potential risks” such as technologies with known CVEs, parameters that could be manipulated with an injection attack, and AI screenshot recognition to identify services and exposed databases, without any human input.
Orchestrator AI uses this knowledge of the environment to test for exploitable risks, which are displayed in the “verified risks” section. The range of risks is based on the techniques utilized by real-world threat actors and includes the OWASP Top Ten risks, known and zero-day vulnerabilities, and exposed and misconfigured services. Scans are chained together to simulate complex multidimensional attacks. The tests are scheduled on an “as-needed” basis. If an environment has not changed, new tests will not be conducted but if an asset changes (or a new one is discovered) tests will be immediately scheduled.
Hadrian’s Orchestrator AI automatically verifies that risks are exploitable, removing false positives in the process. Each risk has a dedicated page that describes the risk, its severity and impact, remediation instructions and a proof of concept. The proof of concept details step-by-step instructions for reproducing the exploit, allowing customers to quickly verify any risk that Hadrian validates. Hadrian’s hacker team also performs periodic reviews of the AI model to ensure that it is producing accurate results and improving the performance of the platform.
Penetration testing can still be an effective way of combating cyber threats but when DevSecOps is resulting in increasingly short development times, security teams need to increase the pace too. Automated pen testing is key here. And Hadrian’s Orchestrator AI is a modern-day tool that can make it a reality.