How to keep your website safe in 2020
Vulnerability scanning can be very cheap or even free, while penetration testing can be considered quite expensive and time-consuming. However, penetration testing brings significant added-value in comparison to all types of malware or vulnerability scanning currently on the web security market.
In this article we will see how businesses can use both types of vulnerability scanners and penetration testing in parallel to achieve the highest level of website security.
Vulnerability Scanning vs Penetration Testing
When security breaches fill the news with stories of stolen customer data and website failures, organizations may turn to automated scanners. However, there's still a common misconception that fully-automated website vulnerability scanning brings the same results as web application penetration testing.
The problem of overstating the possibilities of vulnerability scanning very often results in large data breaches as globally reported from time to time. On the other side we have already demonstrated the need for penetration testing in our recent article Application Penetration Testing.
In fact, today almost anybody can do vulnerability scanning: you just need to download any of a number of vulnerability scanners – some quite excellent – and run them against a website. They will generate an automatic report providing numerous actual and potential vulnerabilities and weaknesses – and probably a number of false-positives as well. False-positives are time-consuming – you need to verify every single issue the scanner detects. Much worse are false-negatives – existing vulnerabilities that automated solutions miss, leaving systems vulnerable and giving website administrators a false sense of security. Some automated solutions may assign a medium risk to 403 or 500 error pages returned by the web server (that are not vulnerabilities, just error pages). Finally, website administrators, under strain from heavy workloads, start ignoring all medium-risk vulnerabilities from daily scanning reports. As the result they miss important information about real vulnerabilities that deserve their attention.
Security scanners are probably a must-have tool for large companies that perform some of security testing internally, relying on in-house security professionals that are capable of verifying and completing the results of an automated scan. Automated vulnerability scanning can be also very useful to keep internal team up2date about the general state of their web applications. However, automated solutions and security scanners are not capable of replacing a penetration test. They are not suited for SMBs as well, neither for projects where companies need both rapidity and the highest quality of security testing.
True pentesting starts from where a vulnerability scan finishes. A pentester will take the reports from probably several different scans and use his personal skills and experience to weed out the false positives, and identify missed vulnerabilities. In particular, he is likely to recognize the weaknesses in the business logic, which scanners cannot efficiently detect, and see how otherwise minor technical flaws can be chained together to affect a major breach.
Another example of the vital need for a deep level of IT and security expertise comes with a scanner's discovery of a vulnerability. The vulnerability is probably already known to the security team and remains unpatched for a “good reason” - in some cases a patch for vulnerability may threaten functionality of a critical business process. It is a frequent case in large companies, where many critical products are developed in-house or outsourced, and suffer from various compatibility issues that prevent keeping systems up2date. In this case, scanner will probably just generate generic information about a patching technique.
A qualified pentester, however, is capable of understanding the business needs and processes of the customer, and will probably suggest an appropriate solution that will not impact business continuity, and if not fix the vulnerability, then at least prevent its exploitation (by adding additional rule to Web Application Firewall for example).
In our experience, most vulnerability scanners can probably find only about 40-60% of the vulnerabilities in web applications. It's not a problem with the scanning technology – a scanner could probably be developed for a particular application, platform or framework capable of finding 99% of the vulnerabilities specific to the application. But taking into consideration the great variety of web technologies that exist today, it is impossible to develop a universal scanner that will efficiently detect vulnerabilities in all types of web applications. Human expertise is required here.
However, web penetration tests also have their limits. For example, they cannot prevent a website admin PC from being hacked, with the aim to steal FTP or SSH credentials to infect the website with malware later on. However, a malware can be identified very quickly with daily malware scanning. Vulnerability scanning should be used for continuous security and integrity monitoring, while penetration testing should be used to properly identify all the existing vulnerabilities and weaknesses, and develop reliable fixes for them. This is where continuous daily monitoring combined with quarterly penetration testing is the most efficient and effective way to keep a website secure.
Penetration Testing Providers
So, how to find experienced and trustful penetration testing providers? Among the variety of penetration testing companies really outstand those which can provide scalable and AI-driven penetration testing service.
ImmuniWeb uses the award-winning AI technology to combine manual and automated web and mobile security testing suitable for all types of businesses, regardless of their size, geographical location or skills. The high speed and large-scale automated testing combined with human expertise and experience accurately detect the most complex security flaws missed by automated vulnerability scanners.
Not long ago ImmuniWeb introduced an automated penetration testing approach which opens new horizons for classical penetration testing (i.e. ethical hacking) and allows to implementation of even more enhanced penetration testing services. All of the abovementioned facts allow us to name ourselves as one of the most reliable penetration testing providers on the web security market today. Automated vulnerability scanners are now losing their positions to the ultra-modern automated penetration testing.