Are there any solutions currently in the market for Customization and Total Automation for Penetration Testing Reports?
Sort by:
Total automation of Pen test reports is a risk from at least two directions. One is if the pen test tool runs amok, it can cause damage internally and to other companies inadvertently - creating liability for the person commissioning the pen test. Another risk is that the automated tool won't be robust, there are numerous scanning tools available which lack the depth to simulate a determined, genuine hacker. The third risk that comes to mind is the data from your scan. Who will own the output form your test which lays out your firms weaknesses with specificity?
You should probably elaborate on what you mean by these terms.
Penetration testing reports could be:
1. The output of a pentest engagement, where X testers worked on a specific scope to identify issues (generally word/pdf/html format)
2. Ad-hoc or regularly generated reports on penetration testing issues identified across your portfolio, filtered and formatted in a specified manner but generally in a tabular structure such as excel, csv)
Similarly, "Customization and Total Automation for Penetration Testing Reports" would be different for each of the above 2. Or you could mean:
3. Fully automated and customized penetration testing process, which apart from executing the test cases of a pentest, it will produce pentest reports
There is an emerging security technology domain, breach and attack simulation (BAS), that has the capability to automate penetration testing reporting in a 24x7 basis.
I would be more than happy to provide more information how BAS works, pros and cons, cost model etc.
CompTIA PenTest+ (PT0-002) includes best practices for automation techniques and it has been released in late October 2021. The exam assesses how to perform automated vulnerability scanning and penetration testing using appropriate tools and techniques, and then how to analyze the results as shown below.
Domain 2.0 Information Gathering and Vulnerability Scanning
2.4 Given a scenario, perform vulnerability scanning. Includes vulnerability testing tools that facilitate automation.
Domain 5.0 Tools and Code Analysis
5.2 Given a scenario, analyze a script or code sample for use in a penetration test. Includes automating the penetration testing process and next steps based on results of a scan.
5.3 Explain use cases of the following tools during the phases of a penetration test. Includes automation tools for scanning and web application testing.
Most modern penetration testing tools include automation capabilities. For example, you can find automation testing features in Metasploit, Nettacker, Jok3r, Legion, Sn1per, Open Security Content Automation Protocol (SCAP), OWASP ZAP and Burp Suite – to name a few.
Edgescan provides PTaaS (Penetration testing as a service) which includes automated reports signifying which vulnerabilities were discovered by human penetrationtesting and which vulnerabilities were discovered via automation.