Why you need Human Penetration Testers

I’ve spent 15 years performing penetration testing for governments and corporates around the world. It’s an essential tool for determining your exposure, allowing you to get as close as possible to simulating a real-life attack, from a real-life attacker.

Automated scanning tools are extremely useful but currently cannot match the skills of a human tester.

In large part, this comes down to the human ability to find contextual application logic flaws. Scanners are limited to finding vulnerabilities that are only discoverable with particular patterns in requests, and that return a specific pattern in a response. Application logic flaws do not exhibit these characteristics and often an abstract contextual understanding of the application is required to see that there is a vulnerability.

A simple example of this is the ability to view another user’s data in an application. Usually there is no malicious data sent in the request, it’s simply that there is a mistake in the authorisation code or flow of the application. But currently only humans are capable of identifying these flaws.

 Scanners are also unable to understand the business context of any vulnerabilities they find. What system the vulnerability is present on and what data or access it exposes, is vital to determining how important the vulnerability is. A good penetration tester will understand this context and incorporate this information when reporting the findings. 

Ethical hacking reporting of vulnerabilities should incorporate the context within the application and context within the business. This allows you to assess your overall level of exposure and prioritise where you deploy resources to remediate. 

Scanners do not understand context, humans do. Human penetration testers are still a critical tool in the cyber security arsenal. Humans matter.