Why Automated App Pentests Are Not Enough | Vumetric

Why Automated App Pentests Are Not Enough

Manual Application Penetration Testing
Share on linkedin
Share on facebook
Share on twitter

Table of Contents

With the ever-growing amount of applications provided to customers, the prospect of performing Application Penetration Testing on each application, with limited budgets and scarce resources, becomes increasingly daunting and seemingly impossible for most organizations. Application risks will never be sufficiently mitigated by relying on automated scanning alone, due to the custom nature of their implementation.

The volume and complexity of cyberattacks continue to increase at an alarming rate and are predicted to continue in the following years. To ensure sufficient protection, organizations must be able to answer these questions:

  • Do we have vulnerabilities that an attacker could find?
  • If an attacker found them, could they be exploited?
  • If exploited, what damage could they do to our business?
  • What should be done to fix the vulnerabilities?

Are Automated Scans Good Enough?

Application risks cannot be sufficiently mitigated by relying on automated scans alone. Typically, there are three main dynamic options practiced today, and they vary in depth, accuracy, and cost.

  1. Automated Scans
  2. Automated Scans with Manual Validation
  3. Application Penetration Tests (Automated Scanning with Manual Validation, combined with Manual Testing)

To determine which option is right for each of your applications, it is common to take a risk-based approach to prioritize applications. This risk-based approach is used to influence the type of assessment that each application requires.

Although risk-based classification is an effective way to prioritize limited resources, it leads to the conclusion that automated scanning alone is acceptable for some applications, when in fact, this is rarely the case. The wide majority of application still require a regular manual penetration test, especially following major changes.

Automated Scans Do Not Identify Critical Vulnerabilities

Even with manual validation, automated scans consistently miss high and critical vulnerabilities that can leave organizations exposed.

Automated scans are well suited to identify certain types of application vulnerabilities found in the OWASP top 10, including Cross-site Scripting, SQL Injection, and Server-Side Request Forgery. Automated scans are also efficient at identifying particular misconfigurations, including incorrectly implemented TLS or the absence of recommended security-focused HTTP headers and cookie attributes.

However, automated scans fail to identify complex vulnerabilities that can have a critical impact on your application, such as Authentication Bypasses, many types of Access Control Weaknesses, and flaws in business logic. Also, automated scans contain a large number of false-positives, and use generic risk ratings that can lead to a waste of effort and resources on measures that will not secure your application adequately.

While a manual validation of automated scan results by certified professionals removes false-positives and adjusts risk ratings to an organization’s context, manual validation does not improve the depth of the analysis, which does not make them as reliable as manual testing to secure critical applications.

Automated Scans Leave Companies Exposed to Cyberattacks

As shown in the examples below, relying on automated scans with manual result validation can leave organizations with a false sense of security and expose them to cyberattacks, as they will feel that their application has been properly secured and no longer requires an assessment. The findings highlighted in red represent vulnerabilities that would not have been addressed if the organization had relied solely on Automated Scans, leaving them open to various scenarios of attack.

Testing Scenario #1: Public-facing app

Risk Level



CriticalAuthorization Bypass through User-Controlled KeyPenetration Testing
HighWeak access control – Page accessible without authenticationPenetration Testing
HighServer-side Request ForgeryAutomated Scanning
HighEncryption Not EnforcedAutomated Scanning
MediumImproper Access Control – Forceful BrowsingPenetration Testing
MediumInsufficient Session ExpirationPenetration Testing
MediumClient-Side Security Control Without Server-side EnforcementPenetration Testing
MediumMissing HTTP-only attribute in session cookieAutomated Scanning
MediumVulnerable software componentsAutomated Scanning
LowDisclosure of Private IP and HostnamesAutomated Scanning
LowInformation Disclosure – <Redacted> EndpointsAutomated Scanning

In this application, an automated scan would have missed 5 significant vulnerabilities, including a critical vulnerability that could have allowed an attacker to gain access to sensitive customer data.

Testing Scenario #2: E-commerce app

Risk Level



CriticalEncryption Not EnforcedAutomated Scanning
CriticalPrivilege Escalation by Authentication ManipulationPenetration Testing
CriticalUnverified Password Change Leads to Privilege EscalationPenetration Testing
CriticalAuthorization Bypass through User-Controlled KeyPenetration Testing
MediumMissing Secure Attribute in Session CookieAutomated Scanning

In this application, an automated assessment would have missed various ways in which a user could access another user’s data and permissions, leaving the company exposed to a potential incident.

Perform Manual Tests Frequently And Adjust Based on Risks

These examples demonstrate that, while automated scans can help identify various vulnerabilities that do need to be corrected, it is critical to be aware that it is far from sufficient to successfully secure a critical application. Without manual tests, the organizations would have left many stones unturned, exposing them to potentially dangerous vulnerabilities.

With today’s ever-evolving cyber threats, it is essential that all applications be manually tested by experienced and certified Penetration Testers. If they aren’t, many sophisticated and high-risk vulnerabilities will be left aside. If these vulnerabilities are overlooked, it will leave sensitive data and corporate systems at risk.

Rather than wonder “Which of my applications should be tested manually?”, you should wonder “How frequently does each application need a manual penetration test?”


To learn more about the differences between manual and automated testing or to get started, get in touch with one of our experts.


Need a Manual Web App Pentest?

Recent Vumetric Blog Posts

Internal vs External Penetration Testing

Cybersecurity is a critical component of any organization’s operations and often dictates a company’s reliability in today’s digital business world. Get it right and you secure exemplary industry reputation...

How to Improve Office 365 Security – 9 Tips

Office 365 is a valuable productivity and collaboration tool. It offers businesses numerous benefits, including easy collaboration, remote work, scalability, and lower capital spend. Office 365 security is typically...

Assess Your Cybersecurity Risks

A specialist will reach out in order to:

  • Understand your needs
  • Determine your project scope
  • Provide a cost approximation
  • Send you a detailed proposal
Mailbox Icon
stay informed!
Subscribe to stay on top of the latest trends, threats, news and statistics in the cybersecurity industry.