Vulnerability Correlation and Manual Pentesting

Manual Pentesting, Vulnerability Correlation
Rahul Raghavan | October 17, 2018


Riding the wave of DevOps, automating development processes to achieve scale is steadily becoming a norm at most companies. With this practice of automation gaining popularity, a lot of industry leaders see a need for DevOps transforming to DevSecOps (integration of application security testing in DevOps) as development, operations and security are largely connected to each other. Recognising this need of moving towards DevSecOps, slowly, development and security teams are moving towards adopting automation. This is still proving to be a bit of a challenge since traditionally, application security testing is a heavyweight process performed as an end-of-the-chain activity.

Adhering to this trend of automating security processes, adoption of application vulnerability correlation platforms as an option is being considered by organizations. Application vulnerability correlation(AVC) platforms allow security and development teams to drastically cut down on time required to manually consolidate and prioritize security defects. AVC is included as an emerging trend is Gartner’s ‘Hype Cycle for Application Security, 2018’ with a high benefit rating (*). When teams or companies consider AVC as a platform they more often than not assume automation to be a prerequisite for AVC. The common perception today is that teams who automate their security testing processes by using several testing tools like SAST, DAST and SCA are the ones that should opt for vulnerability correlation in addition to their vulnerability management process.

But this is far from the truth, automation or not, any application vulnerability correlation platform can be used by teams looking to manage application vulnerabilities. When you look at automation, the worldwide adoption of DevOps is only around 35% as of 2018, but organizations that require and already conduct application security testing ideally are all the organizations that develop applications. So looking at this, every security and product engineering team that needs application security testing needs application vulnerability management, something that an AVC tool provides.The process of vulnerability management is a part of the application security process, and all security teams spend a lot of time and effort managing vulnerabilities. These teams need to realise that this process of vulnerability management can be automated to a certain extent through vulnerability correlation.

What, why and how of Application Vulnerability Correlation

Automating the process of application vulnerability correlation by using a single centralized platform allows you to streamline your application vulnerability testing by consolidating results from multiple security testing tools.

With application security testing becoming more important and a widely accepted process, the two most common problems faced by application security teams today are -

How do we deal with the time spent on vulnerability management?

How do we prioritize the scanned vulnerabilities?

An AVC platform can be an answer to these questions, as it allows security teams to automate the process of vulnerability management and reduces time spent on manual correlation of vulnerabilities reasonably. Vulnerability correlation platforms aid security teams to assess and prioritize a mass of vulnerabilities scanned by multiple security testing tools like SAST, DAST and SCA.

An AVC platform is able to automate the process of correlating scanned vulnerabilities and presenting them on a single platform. This makes an AVC platform suitable for security teams that have started moving towards automating application security testing by using multiple scanning tools that scan their application during and after the development stage.

But what about the security teams that are still following the traditional method of manual testing as opposed to automation or a combination of both? What about the scenarios where some vulnerabilities and defects can be uncovered only via manual pen-testing? In this case too, an AVC platform is a pertinent choice. An AVC platform’s primary use case is to correlate scanned vulnerabilities, irrespective of the modality of uncovering the vulnerability.

Vulnerability Correlation a subset of Vulnerability Management

Vulnerability correlation is a part of the Vulnerability management process as it aids security teams in managing correlated vulnerabilities on a single platform. Other than correlation, AVC platforms also help in prioritization and remediation of the scanned vulnerabilities. These platforms provide a scoring system for vulnerabilities, thereby enabling teams to understand the severity and significance of specific vulnerabilities. Vulnerability correlation as a technology aims to help security (teams) not only in terms of the visibility of the vulnerabilities present but also to recognise the high and low priority issues which are more likely to compromise their applications. AVC platforms also help detect persistent false positives uncovered by certain security scanners. These features are also beneficial to the development teams, as they are more relevant and make it easier to find and fix vulnerabilities earlier in the pipeline.

The assumption that having an automated security testing process is a mandate for teams looking to use vulnerability correlation platforms is not true considering the points mentioned before. Whether the vulnerabilities are discovered by security testing tools, manual pen-testers, or third party platforms, the vulnerabilities can still be consumed by an AVC platform to give out a consolidated and prioritized view. When you look at automation, the worldwide adoption of DevOps is only around 35% as of 2018, but organizations that require and already conduct application security testing are virtually all the organizations that develop applications. So looking at this, every security and product engineering team that needs application security testing needs application vulnerability management, something that an AVC tool provides.

Manual Pentesting and Orchestron

Orchestron is an application vulnerability correlation platform whose main function is correlation of vulnerabilities. Vulnerabilities can be uploaded in anyway into Orchestron, from tools as well as manually. In case of multiple testing teams testing an application, the teams can upload their vulnerability reports as a specified engagement (bucket) within Orchestron and correlated the results. This allows individual teams to view and manage their individual vulnerability reports.

Apart from having a Burp Integration, Orchestron also has a Burp plugin which allows teams to directly publish scanned results from Burp to Orchestron, thereby eliminating the need to manually download and upload scan reports. Orchestron’s integration with Bug-tracking tools like JIRA enables a two-way sync between the two. Hence, when the status of a specific bug-ticket is updated in the bug tracker, it automatically gets updated in Orchestron and vice versa.

As a platform, Orchestron aids the process of vulnerability management, by automating the process of vulnerability correlation by giving a consolidated view of application vulnerabilities on a single platform to security and development teams.


Source(*) : Hype Cycle for Application Security, 2018, Ayal Tirosh, 27 July 2018

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Get a demo