Penetration Testing and Vulnerability Analysis - Trends in 2016

24/10/2016 - 09:09

“Future of pentesting and its trends for 2016 and beyond”

One of the predictions in 2016 is that it will be a year of Hacking the Code. Not DaVinci Code, computer code. This code contains vulnerabilities and it’s being exploited with underlying integrations and connections to various enterpriseclass systems.

The second prediction is that we will be seeing cybersecurity and incident response automation. This relates to the notorious erroneous nature of human beings, despite genuine talent, that creates this automation and digital world we know today.

Penetration testing is, by many, already considered to be a “commodity” tactic today. To achieve the best results, a pentester needs to combine various strategies, from leveraging the power of top-notch automated tools, a combination of manual and automated testing, writing their own tools for new technologies, a solid knowledge of the systems attacked, as well as scripting, social engineering, to dark web spider-intelligence, and more. Many popular penetration testing tools help penetration testers with creating fancy-looking reports that leave a great impression (and resonate well) with the client. Tools then combine online dark web data, perimeters, systems, and application layers in one beautiful report with its own scoring schema. Oftentimes, the driving force of penetration testing is a need to be in compliance with regulations instead of a genuine decision to actually improve security.

The benefits of using automated tools are great and it is always a good idea to be equipped with the best tools available that can help automate the work as much as possible. You could almost think of it as a scripted set of testing attacks with payload parameters. This is where we see the industry going. They do not have to be commercial. A great momentum exists in the open source community, including OWASP. Of course, with even more automation, there will still be a major difference in the quality of work between top penetration testers and an automated scan -“a vulnerability scan” does not equal a “pentest”. The shift towards automation, however, can be a cost-efficient alternative for companies looking to save on basic penetration testing services and a good way for any penetration testers looking to save time and be more efficient.

One peculiar nightmare of automated tools is the ratio of false positives followed by ranking and an interpretation of findings. Humans are still needed to properly categorize and eliminate false positives. Tools provide learning capabilities are far away from the popular terms of machine learning and intelligence, however.


As new tools and utilities are being introduced to help automate penetration testing tasks to such a degree that would not have been possible just a few years ago, application complexity, technologies, and trends evolve exponentially with them.


Although automation continues to be essential for pentesters, the challenges remain the same: every application is different, tools will heavily depend on user direction, since they cannot understand the context and semantic meaning, have no intuition, and cannot improvise nor adjust strategy. Pentesting strategies are now converted from one shot a year exercise to annual programs, where secure code review, static and dynamic, is combined with perhaps quarterly penetration test of targeted areas. The financial sector, in particular, considers penetration testing as an annual product, versus a one-time service. Professional firms use human intellect and tools to setup whole cybersecurity code exploitations and development practices with emphasis on testing components. Effective penetration testing teams will consist of 3-5 highly trained professionals and specialists, executing the pentest assignment with well-rehearsed scrum efficacy, communication, division of tasks, re-prioritizing backlog, tracking, addressing new issues, strategically re-focusing to maximize value of both individual and the team contribution, committing and owning the project from start to completion. Teams adapting lean methodologieswould typically achieve a velocity of at least double of isolated individual contributors of same background New skillsets will be required in various emerging areas of penetration testing:

Mobile Devices -iOS, Android, or Windows based native applications, as well as a hybrid application assessment will become more and more important as the use of mobile devices will be gradually shifting from entertainment to business use and processing financial and other sensitive data.

Cloud and virtualization -software-defined network technology is new and changing rapidly - also changing is its threat landscape. This will require adjusting pentesting techniques with a matching speed.

Internet of things, embedded systems, pentesting/reverse engineering -office and home automation, vehicles, medical, payment, industrial control systems, switches, power converters, circuit breakers, and other devices are being connected to networks and therefore exposed to possible attacks - they all will need new and improved tools and approaches.

Ever evolving modern JavaScript based web applications -to assess security of such applications there will be a need to combine the classic crawling and scanning with a web browser engine, JavaScript debugger, forward/backward tracer, unpacking/de-obfuscation snapshots comparer, a script based state/variable alerting, injecting and fuzzing.

Wireless systems -Software-defined radio (SDR) based wireless security assessments, WiFi, smart meters, wearable devices, etc. - all this will require specific tools and skillsets.

Machine learning -based anomalies detection will keep improving. Unfortunately, so do counter-measures.

Internal network pentesting -will be used more as companies realize that to penetrate their internal networks using social engineering is a real possibility.

Social engineering -as a part of pentesting, in the foreseeable future, we don't see a possibility that an automated robot can get to a company building and ask somebody to "print his resume" from an USB drive.

Remanence of Zeitgeist-old era are "legacy systems'" with a plethora of well-humming and rather dated production deployment out there are great examples of pentester need. These systems will continue to require pentesting, which will not deviate greatly from currently-proven methodologies, and a skilled pentester is crucial for those precise military snipermissions.

We do believe that in the near future and beyond (at least until the time when applications are fully developed and auto-improved by autonomous artificially intelligent agents), it will still be the human genius and intelligence, in-depth understanding, and efficient utilization of automated tools, which will determine the most successful pentesting outcomes. Terminator is an interesting concept and a movie, 11 only time will show how far an artificial intelligence will get and if the human genius will replace itself by fully automated systems. Do not forget, in the present days, it is the human hacking skillset that so far won the race against machines.

by Jaro Nemcok (Web Security Researcher at LIFARS LLC)

& Ondrej Krehel (CEO and Founder of LIFARS LLC) |

Tin liên quan