This can be enlightening to those who want to pursue knowledge on varying levels. Also, it can help you expose your weaknesses. I have always believed that there are two types of people in this world. Those who have been hacked and those who do not know they have been hacked. It is a good method in consistently checking your environment for security holes. Red team your environment(s) as much as you can. As often as you can to expose what might be an issue for you. Blue team your environment(s) after you find your security holes. You can then purple team to evaluate your testing.
We utilize a tool called intruder.io. This is an automated pentest tool. This tool automatically integrates with your cloud environment and allows you to specify targets to check. You can set up checks to be weekly, monthly, or quarterly. It also allows for scans on emerging threats https://help.intruder.io/en/articles/2068984-emerging-threat-scans-explained. We have this running against our environment alongside some other scanning tools in our cloud environment and DataDog.
This method of automated testing is great and can help discover a lot of issues in the environment. Yet, there is still a benefit to a manual pentest. We utilize the data from intruder for SOC 2 compliance. We have fixed every issue and have a cyber hygiene score of A+ - Excellent. One of our clients requested that we do a manual pentest and the thought of doing something manual when automation exists seems counter-productive. The results found during the manual pentest were enlightening.
We found ten issues that the automated tool did not pick up. Granted the issues were mainly low or informational, they were still issues that were not caught. For example of a low issue we found out that there were cookies on our site that did not have a secure flag. Pretty quick fix, at the same time a good thing to know.
Sometimes we can miss things without going just a bit further. Thanks to the client who wanted more of us than an automated pentest. Without them we would… not know what we did not know.
Top comments (0)