In these modern times, with almost everything going “Online”, Cyber Security is the prime importance leading 2021. And along with that, the fast-paced nature of everything around us, begs the need to do as much as possible, automatically, without any or just minimal human interaction. And that extends to hold true for any Organization’s Security posture as well. So here, let’s see why do even need to actually bother about Security Automation or in this case, Web Application Security, how can it help us, and a little bit on how exactly can you start doing it.
There could be a variety of reasons why we’re trying to automate stuff, but the core underlying reason is being to save a lot of your precious time. If you find yourself doing the exact same thing over and over again, makes total sense to just automate the whole process as much as you can. It’s a small-time investment but ultimately helps save a lot of that in your future engagements.
Another good reason to go with Web Application Security Automation would be that you most certainly won’t miss out on the Easy bugs and would cover a much wider scope. If your target is a big organization, chances are you’ll miss out on a lot of legacy Web Assets, URLs, and overall Infrastructure. With the power of OSINT and some smart automation, you could ensure all of that is covered for any and every target in question, and all those Surface level bugs are scraped off automatically for you.
Finally, as you can see, it helps improve the overall efficiency of your web application penetration testing Engagements or Bug Bounties and helps you stay ahead in the game, all while penetration testing automation saves a lot of your time and manual labor, doing boring repetitive stuff.
Okay, so now we (hopefully) know why are trying to mess our head around with all this Automation-foo of Web Application Security. But what exactly are we trying to automate here? Well, we are basically trying to automate finding as many issues from the OWASP Top 10 guidelines as we can. Of course, we won’t be able to find each and everything, and that is something which, will probably never happen with any kind of crazy Automation or AI, but well, that’s a whole different topic for debate in itself. So our main focus here is to leverage some OSINT techniques and tools, and some smart logic, and try to automate finding the easy, surface-level bugs which you’d possibly miss out following the traditional web application security testing Approach.
As you can possibly imagine, everything can’t be sunshine and rainbows. And same applies to our automation as well. The following are some of the Cons of an Automated Web Application Security Testing approach: