[WEB SECURITY] In depth security scanning versus breadth based

robert at webappsec.org robert at webappsec.org
Wed Jul 8 00:09:24 EDT 2009

> For simple web applications with no "wizard-like" logic, this might be
> achieved... but when the application starts to get more complex, IMHO
> you've got two ways to go:
> - Throw away the scanner, and perform manual testing, which is the
> only real way in which you'll be sure that all the web application
> vulnerabilities are being found. With this, I'm not saying that

You make the general statement assuming that manpower is available for repen testing 
every parameter on every product release. The reality is most people will never be able
to afford this. Not to mention hiring penetration testers doesn't scale, and QA is only capable
of so much.  

Scanners are good at finding *certain issues* (each app/site is different), and as I said in my 
previous email I don't want to get into that debate/discussion. I am asking the list if anyone has tried
implementing this and had good/bad luck and to share their experiences. 

> scanners are useless! Damn... I write one in my spare time! What I'm
> saying is that when the web application gets really, really complex...
> the only way to test it properly is by hand.

Nobody is debating the need for deep dive pen tests, but if you wish to test on every release
this is simply impossible for 99.99999999% of companies/organizations.  

- Robert

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list