With web vulnerabilities putting millions of websites at risk every day, organisations typically turn to automated scanners to protect their websites. Despite automated scanners being the preferred approach for protection, they don’t do enough. There’s still a common misconception that fully-automated website vulnerability scanning bring the same results as manual web application penetration testing.
There is a vital need for a deep level of IT and security expertise that only comes from human skills, as demonstrated by a recent analysis conducted by the universities of KU Leuven (Belgium) and Stony Brook (New York). The analysis tested websites “protected” with various trust seals provided by reputable security vendors, including Symantec, McAfee, Trust-Guard, and Qualys, delivering automated vulnerability and malware scanning services.
Free eBook: Modern Retail Security Risk – Get your copy now.
The research showed that “seal providers perform very poorly when it comes to the detection of vulnerabilities on the websites that they certify.” This weakness is inherent in almost all fully automated solutions, which can only go so far before their output needs to be analysed by a qualified pentester.
Vulnerability scanning can be a cheaper option than penetration testing, but the latter brings significant added-value as, with the former, you can simply download any of a number of vulnerability scanners and run them against a website yourself. These will generate an automatic report providing numerous actual and potential vulnerabilities and weaknesses – and probably a number of false-positives, which are time-consuming as you need to verify every single issue the scanner detects or, even worse, false-negatives.
Some automated solutions may assign a medium risk to 403 or 500 error pages returned by the web server that are not vulnerabilities but just error pages. Website administrators then start ignoring all medium-risk vulnerabilities from daily scanning reports and miss important information about real vulnerabilities.
Security scanners are probably a must-have tool for large companies that perform some of security testing internally and automated vulnerability scanning can be also very useful to keep internal teams up to date, but neither is not capable of replacing a penetration test.
True pentesting starts from where a vulnerability scan finishes as a pentester takes the reports from probably several different scans and uses his personal skills and experience to weed out false positives, identify missed vulnerabilities, recognise weaknesses in the business logic, which scanners cannot efficiently detect, and see how otherwise minor technical flaws can be chained together to effect a major breach.
Sometimes vulnerabilities exist and remain unpatched for a “good reason” but scanners will generate generic information about a patching technique. A qualified pentester, however, is capable of understanding the business needs and processes, so they can suggest a solution that will not affect business continuity.
As a solution to the gap between automated and manual security testing, High-Tech Bridge launched ImmuniWeb® – a hybrid approach to web security testing, which combines manual and automated web security testing to accurately detect the most complex security flaws missed by scanners and other automated solutions.
To read the full blog post, please visit
By Ilia Kolochenko, CEO, High-Tech Bridge
Bio: Ilia Kolochenko has a university degree with honors in Mathematics and Computer Science from Geneva, his city of origin. Ilia Kolochenko started his career as a penetration tester, he also was a security expert and team leader working for various financial institutions and large companies in Switzerland and abroad. His military service in artillery troops took place in Frauenfeld, Switzerland. At the end of 2007 he founded High-Tech Bridge, aiming to deliver efficient and effective penetration testing to companies of all sizes. In 2010 Ilia Kolochenko created a concept of hybrid security assessment of web applications, called ImmuniWeb, that was globally launched in 2014. Being web application security expert and chief architect of ImmuniWeb, he is personally involved into ImmuniWeb’s daily operations, implementing new features and functions. Ilia Kolochenko is regularly quoted in various IT security and business journals, he was interviewed by CNBC, Financial Times, BBC and many other reputable medias.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.