Injecting Automation into Pentesting - Akshar Tank

In pen-testing environments, the tester approach as the target is likely to be 100% unique. But that’s not the case. Most of the time developer’s mindsets match one another or at least the mindset of a dev team would likely be the same. So, when a tester is approaching his target, he will many time use the same methodology, find the same bugs, report them and wait for them to fix. But this approach is time-consuming and many time the time to test an application is limited due to which(I think) many unique attack surface remains untouched and bugs stay there. To overcome this, what if every basic scan, Initial recon of the target, or some basic vulnerabilities are automated, and we just have to verify them? Would that be great, this left us with so much time and we can explore new surfaces with it. Most of the time these checks (for single vulnerabilities) can be easily done with one-liners (Many bash commands chained). This talk aims to familiarize the power of automation to the security engineers. It will show how with investing some amount of time to build automation, as per one's need, someone can save their time in subsequent pentests.