An application penetration test is always said to be incomplete if it does not do the following:
- Following the standard methodology of performing recon
- Enumerating functionality
- Testing individual parameters
- Creating test cases
- Performing non-invasive exploitation
- Providing a report that talks about the issue
- Implementing steps to reproduce, proof of concept code, and possible mitigation
During my career, on numerous occasions, I have come across security consulting companies or independent professionals that are known to run an automated scanner that detects only a handful of vulnerabilities and almost always does not discover logical issues. These vulnerabilities are then exploited with a half-baked exploit that does very little in terms of explaining the business impact and criticality of the findings to the end client.
Scanning for vulnerabilities...