Understanding Manual Penetration Testing

Manual Penetration Testing

Veracode Manual Penetration Testing (MPT) involves one or more Veracode penetration testers who perform tests and simulate real-life attacks. The goal of MPT is to determine the potential for an attacker to successfully access and perform a variety of malicious activities by exploiting vulnerabilities, either previously known or unknown, in the software.

To perform a manual assessment, the penetration testers:
  • Assess how vulnerabilities could be exploited against a target application, establishing a running profile of attack methods that are discovered against the target.
  • Execute test cases that uncover software vulnerabilities, with minimal to no impact to service availability of the target application.
  • Customize and expand attack payloads to execute against the specific target application, and account for the specifics of its implementation and environment.
  • Analyze captured data for vulnerability patterns, interpreting the results, and developing remediation recommendations
At Veracode, a team of penetration testers perform these activities while updating and expanding automated tests that supply the testers with the best tools available for simulating a variety of attacks. Penetration testers can intuitively understand the design and functionality of applications, complex authorization processes, and business logic requirements that are not possible for computing systems to replicate today. Human testers can identify unorthodox ways of attacking applications. These insights enable developers to secure their applications against a broader range of attacks.

Veracode recommends that your organization uses MPT in conjunction with other automated security assessments, so that your organization can build upon and extend the findings identified by Veracode's automated assessments. This approach allows penetration testers to focus on business logic flaws and complex attack schemes that are not easily automated.

Veracode uses industry standards for classifying and reporting manual penetration test vulnerabilities, including:

Details of Veracode Manual Penetration Testing are available in the methodology section of the Veracode Detailed PDF Report and Customizable PDF Report.

All Veracode Manual Penetration Testing is performed according to industry-standard testing methodologies where applicable. The following table describes the test type, methodology, and vulnerability types that Veracode uses for manual penetration tests.

Test Type Methodology Vulnerabilities
Web application/API OWASP Testing Guide OWASP Top 10 and CWE Top 25
Mobile application OWASP Mobile Security Testing Guide OWASP Mobile Top 10
Desktop or thick-client applications OWASP recommended testing guidance and best practices
  • Application Logic
  • Code Injection
  • Local Storage
  • Binary Exploitation and Reverse Engineering
  • Excessive Privileges
  • Unencrypted Storage of Sensitive Information
  • Unencrypted Transmission of Sensitive Information
  • Weak Encryption Implementations
  • Weak Assembly Controls
  • Weak GUI Controls
  • Weak or Default Passwords
Internet of things (IoT) and embedded systems OWASP IoT Testing Guide and other industry best practices OWASP IoT Top 10
Infrastructure and Operations (DevOps Penetration Testing) PTES (Penetration Testing Execution Standard), NIST SP 800-115, PCI DSS 11.3 (for PCI engagements) Can vary depending on scope and rules of engagement