“Can automated penetration testing replace humans” this article was freshly posted just yesterday. It resonated so much with me, I felt a smile linger on my face while reading it. It is the 1st article that gives “automated penetration testing” a fair assessment. And to me, it’s a prelude for another era – AI challenging humans with more and more sophisticated work, this time in Cyber Security.
Alex Haynes states in his article, “the big caveat here is that these automation tools are improving at a phenomenal rate, so depending on when you read this, it may already be out of date.” This statement holds very true, because as of today, the downsides mentioned in the article have already been overcome by a tool called RidgeBot™ from Ridge Security Technology Inc.
I’ll address the two downsides brought up in the article and elaborate on what an advanced auto-penetration tool has achieved to address them:
Downside 1: “Automated penetration testing tools don’t understand web applications – at all.”
Response: RidgeBot™ understands both host servers and web applications. RidgeBot™ uses smart crawling or, in some instances, proxy mode to automatically discover attack surfaces that reside on domains, URLs, folders, sub-folders, front-end and back-end login entries, email addresses etc. RidgeBot™ further mines vulnerabilities over these attack surfaces by using tens of thousands of built-in plugins. Its scanning capability is as good as popular web vulnerability scanners such as Burp Suite and Acunetix. But, RidgeBot™, as an auto-pentest tool, does not stop there. After scanning, it further validates the vulnerabilities with exploits. Whether it’s SQL injection or SSRF (Sever-side request forgery) or Cross-site scripting or weak password for back-end login entries, RidgeBot™ will show “hard evidence” after successful attacks. The hard evidence includes web shell control, credential exposure, and SQL database control, among others.
Internet facing web services are the most convenient, accessible entry points for a hacker to pivot into internal, enterprise networks, therefore auto-pentest tools should always include this as a tactic. A strong web application scanning capability and exploitation sets RidgeBot™ apart from other similar tools.
Downside 2: You can only use automated pentesting tools “inside” the network.
Response: Placing automated pentesting tools outside the network means hackers have to go through or bypass network security systems such as Firewall, IPS and WAF. Certainly, this poses extraordinary challenges, but that is what hackers do. RidgeBot™ imitates real-world scenarios: it can launch attacks from outside the network.
RidgeBot™ can leverage an external-facing web service as an entry point, or vulnerabilities found in the web-based management console of a network security device, to break in, just like a real hacker would do. External ethical hacking, done by RidgeBot™, is suitable for organizations that assume their main threats are external. With external attacks, due to the limited access to internal servers imposed by firewalls, there might be more narrow findings in risks and vulnerabilities. While for organizations who are more concerned about threats from inside the network, internal ethical hacking (pentesting) would be a better approach. Because, this would allow the auto-pentest tool to perform a more thorough testing against internal servers to reveal more vulnerabilities and risks.
In order to test the security posture of an enterprise’s overall IT infrastructure, both external and internal testing capabilities are mandatory. This is why RidgBot™ was developed to support both approaches.
I agree with Alex: the field of automated penetration testing is “improving at a phenomenal rate.” At Ridge Security, as a pioneer provider, we aim to help our customers outrun malicious hackers and achieve continuous protection; and we strongly recommend enterprises to include automated penetration testing into their security hygiene routine.