The advent of AI and disruption in AI-powered tools and products have also perforated into the cybersecurity industry. The buzzword being AI and its ‘extensive’ capabilities, the big question remains, will AI ever replace human pentesting engineers for cyber security assessments? Even if such capabilities are to be achieved in the near or distant future, would they be enough to ensure complete test coverage, security and compliance? Why aren't automated scans enough for an ever-evolving cybersecurity threat landscape? This write-up seeks to address some of these pressing concerns.
There is no doubt that the cyber security threat landscape is growing both in scale and complexity. As Verizon aptly summarizes in their 2019 Data Breach Investigations Report “No organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack. Regardless of the type or amount of your organization’s data, there is someone out there who is trying to steal it”.
With an ever-increasing number of security breach events reported daily, we must realize the importance of how the Human Element can bring about a change in the cyber security posture of your organization. Not only that we are an easy target, but we are also a pivotal part of the solution as well. However, with the current trends and excitement around the AI buzzword, it is very easy to forget the relevance of the human factor.
Why do I need a pentest when I could run automated scans?
With the surge of AI and ML tools, products and techniques, this is a very common ambiguity among compliance managers and cybersecurity practitioners worldwide. The simple answer to this question is, “AI-powered Automated Scanning will never be able to provide the complete threat surface coverage like a Manual Pentest engagement”.
To elaborate, though automated scanning machines and tools provide us with an overall indicative threat level of the asset under testing, a complete replacement of a manual pentest and relying entirely on scanning engines is never an effective cyber security strategy. Vulnerability scan reports will require technical expertise on the reviewer. That is, automated scan results are only as good as how much you make of them. If your internal security team neither possesses the technical expertise to review, categorize vulnerabilities based on severity and mitigate effectively, automated scan results are obsolete.
Furthermore, each asset is different from one another and carries unique business logics and workflows that are unable to be captured and checked against owing to the current state of scanning engines. This would mean that a hacker could deep dive into the application and exploit business logic vulnerabilities and still compromise the asset.