.png)
In urgent need of assistance from our Incident Response team? Click below to email directly and get support.
Get Support
Set up regular vulnerability scans for Web Apps & Infrastructure with our innovative SecurePortal
Learn More
PTaaS Packages For All Businesses
Distribute, manage and monitor remediation tasks effortlessly with PTaaS, powered by SecurePortal
View PTaaS Options
SecurePortal 2.11 - Single Sign On (SSO) and Requested Upgrades
Read
Need Our Assistance?
We now offer Incident Response Retainers helping you reduce damage from a cyber attack
Read
Web Application Testing -
Manual vs Automated
Pentest People take a look at the differences between automated
and manual Web Application Testing
.webp)
What Level of Testing is Required for Web Applications?
Web Applications often store PII and provide sensitive functionality. Due to this, Web Application Penetration Testing have become a popular target for malicious threat actors. Successful compromise of a web application may lead to losing sensitive data, reputation, and access to the underlying server. Web applications must be thoroughly tested to ensure that they do not pose a security risk.
At Pentest People, we are regularly asked about what level of penetration testing is needed for a web application, and the answer is entirely dependent on the web application, what data is held within it and client requirements. The purpose of this article is to discuss the differences between a manual penetration test and a vulnerability scan.
What is a Manual Penetration Test?
A Penetration Test is a simulated attack, carried out manually by a trained security consultant. The consultant will follow a methodology to look for known vulnerabilities and common attack vectors. Vulnerabilities are verified, a proof of concept is created and mitigation advice is issued within the context of a report.
Vulnerability scanning is part of our methodology for a full penetration test, however, the consultant will be looking for business logic and more in-depth vulnerabilities such as weak/broken access controls that allow users to view others sensitive data.
What is an Automated Vulnerability Scan?
A vulnerability scan uses automated tools to look for ‘low hanging fruit’ which is loosely defined as obvious vulnerabilities that require little or no skill to locate. Vulnerability scanners are not intelligent, they are good for finding vulnerabilities such as ‘Missing HTTP security headers’ like X-frame options missing from HTTP responses, however, they will not identify business logic vulnerabilities like the ability to view one user's data from another account. These should, in no way, be considered full penetration tests.
Similar to a penetration test, the vulnerabilities discovered, and mitigation advice will be issued in a report, however, the findings will not be verified, nor will a proof of concept be created. The findings from the automated tools are trusted, which will typically include false positives. The verification of these issues will be down to the company in question.
Pentest People Are Trustworthy & Experienced
Which Option is Best?
When is it Necessary to Perform
These Types of Tests?
When should I perform a Penetration Test?
A Penetration Test should always be performed before any automated security scanning. Automated scanning does not provide a thorough assessment of the application.
A report with no critical or high risk vulnerabilities from an automated scan cannot be considered a clean bill of health for the application.
When should I perform a Vulnerability scan?
Once a full penetration test has been completed, vulnerability scanning should be arranged at quarterly intervals.
A Penetration Test is a snapshot in time, quarterly vulnerability scanning should be undertaken to look for any obvious changes between penetration tests.
Learn Something New
Have a read of our blogs written by industry experts, covering topics from all areas in cyber.
What is the UK Cyber Security & Resilience Bill and Why Does it Matter to Your Business?
The UK’s Cyber Security & Resilience Bill aims to significantly strengthen national cyber defence by expanding regulations, enhancing incident reporting, and improving resilience across both public and private sectors. It introduces stricter security standards for a broader range of businesses, including Managed Service Providers (MSPs) and Small to Medium-sized Enterprises (SMEs), many of which were previously outside regulatory scope.
What Does The EU Cyber Resilience Act Mean for Your Organisation?
The EU Cyber Resilience Act marks a major shift in how digital products and software are regulated for cyber security. But what does it really mean for your organisation? Whether you're a software vendor, device manufacturer, or part of the supply chain, the CRA introduces new responsibilities, and penalties for non-compliance. This blog breaks down the essentials, explain who’s affected, and outline what your business needs to do to stay ahead.
Europe Launches EUVD: A Step Toward Cybersecurity Resilience and Strategic Autonomy
The European Union has introduced a new cyber security blueprint aimed at enhancing its collective resilience against large-scale cyber incidents. This initiative outlines a comprehensive framework for crisis management, detailing the roles of EU entities throughout the entire lifecycle of a cyber crisis, from preparedness and detection to response and recovery.
Cyber Security Incident Response: 5 Steps to Mitigate and Recover from Attacks
Learn how to protect your business with a clear, five-step Cyber Security Incident Response Plan. This guide covers how to assess damage, contain threats, restore systems, learn from attacks, and build a strong response strategy—so you can act fast, minimise impact, and stay secure.
.svg)
.webp)
