Security News > 2021 > April > Death of the Manual Pen-Test: Blind Spots, Limited Visibility
Manual penetration testing is increasingly challenged by automated methods of vulnerability discovery and management.
The reasons are not difficult to understand: the cost and coverage of manual testing is too high and too limited.
The main concerns are that pentesting does not cover the entire infrastructure, leaving blind spots; it examines only known assets rather than discovering and testing assets that may have been forgotten, or not recognized, in cloud environments; the cost of pen-testing is too high for it to be used extensively; and, related to the cost, the results of pen-testing provides just periodic snapshots in time that might no longer be accurate the day after the testing.
The implication of this statement is that manual pen-testing still has a place in testing the security of perhaps the customer's most important assets; but only as an addition to overall attack surface automated monitoring.
The biggest concern, at 60 percent, is that it only provides limited test coverage over a portion of the attack surface, leaving behind too many blind spots.
Rob Gurzeev, CEO and co-founder of CyCognito, adds, "Security tests should tell organizations what attackers are able to see and exploit so that defenders can prevent breaches. But when companies are only able to see assets they already know about, test just a portion of their attack surface, and do that only a few times per year, preventing breaches isn't possible. So, the biggest takeaway from this report is that what organizations want or are hoping to achieve through pentesting versus what they actually are accomplishing are two very different things."