Using a tool for security testing is good approach and helps in quicker assessment of the application. Saying this, tool based approach should not be the only approach because after all tool is a tool and there will always be a human factor that can’t be neglected. Tool runs on specific set of rule sets, there will be fair bit of chances getting “False true” vulnerabilities. Also in our own experience we have seen that few of the vulnerabilities were did not detect by tools and even though same set of rule set used but reports were inconsistent for different applications. Even after using the tool for greater extent, it would be better at least revalidate manually before sharing with the stake holders. There should be a proper blend of manual and automated approach to discover security vulnerabilities in web applications. Automated tools were never intended to, and should never entirely replace, the manual penetration test. However, if used correctly, automated tools can be used by organizations to find a broad range of technical security vulnerabilities in web applications, saving time and money, with manual penetration testing being used to augment the results for logical vulnerabilities.
Refer:Security acts May 2010 Issue 3
No comments:
Post a Comment