Veracode Manual Penetration Testing (MPT) involves one or more Veracode penetration testers who perform tests and simulate real-life attacks. The goal of MPT is to determine the potential for an attacker to successfully access and perform a variety of malicious activities by exploiting vulnerabilities, either previously known or unknown, in the software.
- Assess how vulnerabilities could be exploited against a target application, establishing a running profile of attack methods that are discovered against the target.
- Execute test cases that uncover software vulnerabilities, with minimal to no impact to service availability of the target application.
- Customize and expand attack payloads to execute against the specific target application, and account for the specifics of its implementation and environment.
- Analyze captured data for vulnerability patterns, interpreting the results, and developing remediation recommendations
Veracode recommends that your organization uses MPT in conjunction with other automated security assessments, so that your organization can build upon and extend the findings identified by Veracode's automated assessments. This approach allows penetration testers to focus on business logic flaws and complex attack schemes that are not easily automated.
Details of Veracode Manual Penetration Testing are available in the methodology section of the Veracode Detailed PDF Report and Customizable PDF Report.
All Veracode Manual Penetration Testing is performed according to industry-standard testing methodologies where applicable. The following table describes the test type, methodology, and vulnerability types that Veracode uses for manual penetration tests.
|Web application/API||OWASP Testing Guide||OWASP Top 10 and CWE Top 25|
|Mobile application||OWASP Mobile Security Testing Guide||OWASP Mobile Top 10|
|Desktop or thick-client applications||OWASP recommended testing guidance and best practices||
|Internet of things (IoT) and embedded systems||OWASP IoT Testing Guide and other industry best practices||OWASP IoT Top 10|
|Infrastructure and Operations (DevOps Penetration Testing)||PTES (Penetration Testing Execution Standard), NIST SP 800-115, PCI DSS 11.3 (for PCI engagements)||Can vary depending on scope and rules of engagement|