« Metasploit Framework 3.2 Released | Main | Article: What the NSA thinks of .NET 2.0 Security »

Automated security testing & its limitations

"The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)…   A good tester should know the weaknesses of the automated testers..

The problem with automated testers, is, simply put, they are not human.   That is they will not have intuition that a given function in a website is vulnerable.   When testing manually I find I get a feeling a function is vulnerable and then I concentrate on this perceived weakness..

Automated testers also only typically test some predefined vulnerabilities and although constantly being improved, they are far from perfect..

Automated testers do have their place however in greatly reducing the workload when security testing, allowing a lot of the tests which would usually take weeks to complete manually to be completed with a degree of confidence automatically.

My personal experience is they have a 25-30% valid findings rate of the vulnerabilities that we report in our assessments when setup correctly (less if not)."

Read more: http://www.itpro.co.uk/blogs/danj/2008/11/14/automated-security-testing-its-limitations/


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

So... what are you trying to say?

What automated tools are you talking about?

What security penetration tester 'instinct' are you talking about?

As in exploits? Or just plain intuition?

The point of his article is explaining the challenges of automated tools, the expectations you should have if you use them, and how they can be improved.