Manual penetration testing is one of the elementary methods of security verification. This type of testing is maximally effective, but unfortunately also very time-consuming and thus expensive.
The disadvantages of manual penetration testing include
- High dependence on the penetration tester’s expertise
- The large number of single-purpose tools that are used in the testing
- Difficult coordination when testing in teams
- High requirements for consistency in approach and documentation
- Time-consuming production of the final report
During testing, the tester must first identify the technologies used and then map the target environment to detect all sources and their inputs. The tester can either perform these activities completely manually or can be assisted by various single-purpose scripts.
Subsequently, the tester has to test each input for many types of vulnerabilities manually or again with the aid of specialized single-purpose scripts. If we consider that there are hundreds to thousands of such inputs, it is obvious that this will be a very time-consuming work that takes tens or hundreds of manhours.
Since there are no detailed checklists to walk the tester through the testing step by step, this work is also heavily reliant on the tester’s experience and knowledge. It is up to the tester alone to determine how comprehensively the tests will be performed and how many vulnerabilities will ultimately be detected. Thus, it is not normally possible to involve novice, less experienced testers in the testing without supervision by a more experienced worker.
In order to keep track of their work and for the sake of consistency, testers must create various diagrams of the environment under test and take a large number of notes. Additionally, there is a large amount of support data being generated in manual testing, such as various screenshots and listings. It is up to the tester how they manage to keep all the generated material organized and clearly structured.
For larger projects, it is often necessary to involve more staff in testing. Thus, testers should be able to navigate the test simultaneously without redundant work or vice versa without leaving any components untested. This means that workers should effectively share among themselves all notes and documents and keep track of all activities of other team members.
It goes without saying that managers also should control and supervise the ongoing testing process. Such control would be impossible without a large number of tools, including specialized project management tools, which are quite inefficient to use for this purpose. Teamwork is consequently one of the many pitfalls of manual testing.
Furthermore, the tester must determine the severity of each vulnerability found and comprehensively describe it for the personnel who will be tasked with fixing it. The tester should provide detailed information on how the vulnerability manifests and how to reliably reproduce it. They should describe the impact of exploiting the vulnerability and suggest an appropriate remediation method. The text describing the vulnerability should also be complemented with references to relevant sources of information.
On testing completion, the descriptions of the individual findings become inputs for the final report, which should be expanded with other necessary components, including an introduction, a table of contents, a management summary, or a final summary. Producing all the texts needed for the final report is often more time-consuming than the testing itself and typically takes several dozens of hours of work.
From the above, it follows that testers often spend up to 75% of their time on matters other than the testing itself, and it is not a good solution to address penetration tests with fully automated tools only. Unfortunately, without a dedicated tool to usefully combine automated tools with manual testing, the work of testers is very inefficient.
If you would like to increase the efficiency of manual testing by combining it with automated tools, gain better control of individual projects, improve teamwork or make final reports as simple as possible to create, consider whether the Penterep platform could be just the right solution to help you. The Penterep platform is packed with a number of great features that can make the work of penetration testers, and not just penetration testers, much easier and more efficient.