"The team I work in uses both automated scanners, along with a few
humans testing (minimum of 2)… A good tester should know the
weaknesses of the automated testers..
The problem with automated testers, is, simply put, they are not
human. That is they will not have intuition that a given function in
a website is vulnerable. When testing manually I find I get a feeling
a function is vulnerable and then I concentrate on this perceived
weakness..
Automated testers also only typically test some predefined
vulnerabilities and although constantly being improved, they are far
from perfect..
Automated testers do have their place however in greatly reducing
the workload when security testing, allowing a lot of the tests which
would usually take weeks to complete manually to be completed with a
degree of confidence automatically.
My personal experience is they have a 25-30% valid findings rate of
the vulnerabilities that we report in our assessments when setup
correctly (less if not)."
Read more: http://www.itpro.co.uk/blogs/danj/2008/11/14/automated-security-testing-its-limitations/
