Comprehensive Manual Penetration Testing (MPT) extends beyond identifying and
documenting discrete vulnerabilities. The purpose of these assessments is more situational,
creating scenarios to investigate whether multiple lower-risk flaws can be compounded into a
larger attack scenario.
This testing provides a better understanding of whether identified flaws affect the
confidentiality, integrity, or availability (CIA) of the application. For example, a manual
tester can use a combination of tools, techniques, and custom approaches to determine whether it
is possible for an attacker to:
- Circumvent authentication and authorization mechanisms
- Escalate application user privileges
- Hijack accounts belonging to other users
- Violate access controls placed by the site administrator
- Cause the unauthorized access of data
- Alter data presentation
- Circumvent application business logic
- Circumvent application session management
- Break or analyze use of cryptography within user accessible components
Veracode asks organizations to complete a questionnaire to define the scope of manual
penetration testing. The defined scope enables the Veracode team to determine the service
offerings that most effectively suit the needs of the assessment while maximizing test coverage.
The test coverage and composition of identified vulnerabilities generally correlates to the
current SANS Top 25 or OWASP Top 10 categories.