An application penetration test is always said to be incomplete if it does not do the following:
- Following the standard methodology of performing recon
- Enumerating functionality
- Testing individual parameters
- Creating test cases
- Performing non-invasive exploitation
- Providing a report that talks about the issue
- Implementing steps to reproduce, proof of concept code, and possible mitigation
During my career, on numerous occasions, I have come across security consulting companies or independent professionals that are known to run an automated scanner that detects only a handful of vulnerabilities and almost always does not discover logical issues. These vulnerabilities are then exploited with a half-baked exploit that does very little in terms of explaining the business impact and criticality of the findings to the end client.
Scanning for vulnerabilities using an automated scanner is the most common approach taken when it comes to detecting vulnerabilities quickly. This...