Here's What Your Manual Pentesting is Missing Out On

AVC, Vulnerability Correlation, Manual Pentesting, AppSec, Security Testing
Rahul Raghavan | September 16, 2020
2

 

Riding the wave of DevOps, automating development processes to achieve scale is steadily becoming a norm at most companies. With this practice of automation gaining popularity, a lot of industry leaders see a need for DevOps transforming to DevSecOps (integration of application security testing in DevOps) as development, operations and security are largely connected to each other.

Recognising this need of moving towards DevSecOps, slowly, development and security teams are moving towards adopting automation. This is still proving to be a bit of a challenge since traditionally, application security testing is a heavyweight process performed as an end-of-the-chain activity.

Read more: The problem in your vulnerability management lifecycle 

The process of vulnerability management is a part of the application security process, and all security teams spend a lot of time and effort managing vulnerabilities. These teams need to realise that this process of vulnerability management can be automated to a certain extent through vulnerability correlation.

So...why should you care about vulnerability correlation?

Automating the process of application vulnerability correlation by using a single centralised platform allows you to streamline your application vulnerability testing by consolidating results from multiple security testing tools.

With application security testing becoming more important and a widely accepted process, the two most common problems faced by application security teams today are:

  • How do we deal with the time spent on vulnerability management?
  • How do we prioritise the scanned vulnerabilities?

AVC can be an answer to these questions, as it allows security teams to automate the process of vulnerability management and reduces time spent on manual correlation of vulnerabilities reasonably. Vulnerability correlation helps security teams assess and prioritise a mass of vulnerabilities scanned by multiple security testing tools like SAST, DAST and SCA.

Vulnerability correlation is able to automate the process of correlating scanned vulnerabilities and presenting them on a single platform. This makes AVC perfect for security teams that have started moving towards automating application security testing by using multiple scanning tools that scan their application during and after the development stage.

Read more: How one security team used AVC to turn 1300 vulnerabilities to 89

But what about the security teams that are still following the traditional method of manual testing? What about the scenarios where some vulnerabilities and defects can be uncovered only via manual pen-testing?

Well, that's the thing. Correlation is about organising vulnerabilities found by any testing method, whether it's automatic or manual. And that's because...

Vulnerability Correlation is a subset of Vulnerability Management

Correlation is a part of the Vulnerability management process as it aids security teams in managing correlated vulnerabilities on a single platform. Other than correlation, AVC platforms also help in prioritisation and remediation of the scanned vulnerabilities.

These platforms provide a scoring system for vulnerabilities, thereby enabling teams to understand the severity and significance of specific vulnerabilities. Vulnerability correlation as a technology aims to help security (teams) not only in terms of the visibility of the vulnerabilities present but also to recognise the high and low priority issues which are more likely to compromise their applications.

Learn more: AVC prioritises, deduplicates and categorises vulnerabilities

AVC also helps detect persistent false positives uncovered by certain security scanners. These features are also beneficial to the development teams, as they are more relevant and make it easier to find and fix vulnerabilities earlier in the pipeline.

Read more: How managing false positives can bring your vulnerabilities down 75%

The assumption that having an automated security testing process is a mandate for teams looking to use vulnerability correlation platforms is not true considering the points mentioned before.

Whether the vulnerabilities are discovered by security testing tools, manual pen-testers, or third party platforms, the vulnerabilities can still be consumed by an AVC platform to give out a consolidated and prioritised view.

When you look at automation, the worldwide adoption of DevOps is only around 35% as of 2018, but organisations that require and already conduct application security testing are virtually all the organisations that develop applications.

Looking at this, every security and product engineering team that needs application security testing needs application vulnerability management, something that an AVC tool provides.