Penetration testing, Manual vs automated : version 1

Manual Penetration Testing Automated Penetration Testing
Purpose

Thorough insight of exploitable weaknesses

Rapid testing of high volume of assets

Testing process

Intensive in terms of manual efforts. Not based on specific quality standards. Requires several tools. Results can vary significantly from test to test. Generally requires highly-paid, experienced security personnel to run and interpret tests.

Easy and fast. Eliminates tedious manual tasks.
Centralized and standardized to produce consistent and repeatable results. Easy to use and provides reports.

Logical decisions

Experienced pentester, based upon his experience, can decide what the best method to perform the pentest is.

Automated pentest tools work on a predefined logic and cannot take a decision on what is the best way to exploit vulnerabilities in some cases.

Training

Testers need to learn non-standardized, ad-hoc testing methods. Need to keep the knowledgebase up-to-date.

Users can learn and install in as little as one day.

Reporting

Requires significant effort, recording and collating of all results manually. All reports must be generated by hand.

Comprehensive history and findings reports are automatically produced. Reports are customizable.

Conclusion

Automated tools are good to reduce time and to check for specific weaknesses but they cannot replace the humans.



Advertisements

About this entry