We’re familiar with the cliché, "If your only tool is a hammer, then every problem looks like a nail."Because software is so complex and there is no single solution to adequately conduct comprehensive software security testing, it's important to make sure our testing toolboxes have more than one tool.
The toolbox metaphor is quite apt: your physical toolbox contains several types of screwdrivers of varying sizes since screws come in different types and sizes. Using a Philips screwdriver on a Torx screw does not work effectively. Using the right tool for the job can mean the difference between success and failure.
We live in a tool-centric world where there is a natural tendency to use automation to help us work more efficiently. Automation enables us to handle repetitive tasks with ease. It helps avoid the tedium of dealing with mundane tasks, and it can dramatically speed up doing those repetitive, mundane tasks and can do them consistently.
Which Tools to Use and When
Automated tools can really help with software security testing, particularly when there is a lot to test and even while coding. Organizations that tend to rely exclusively on automated software testing is a case of having just a hammer. Automated software testing alone can’t provide the deep testing coverage organization’s need to find deeply rooted, business logic and compound vulnerabilities. Additionally, automated software testing often struggles on complex systems with technologies such as Ajax, Flash, Silverlight. In these cases, manual testing will pick up where automated tools left off and get you both the broad and deep testing coverage you need.
A balanced security testing approach uses automated testing to look for the obvious issues that automated security testing does so well at. Manual testing can fill in the gaps for those areas that need extra scrutiny (security-sensitive functions) and those areas that can’t be effectively tested with automated solutions.
Manual security testing does a good job of weeding out false positives, and can be used to show how several lower risk security defects can be chained together to create a successful breach. Some people feel that the medium and lower risk security defects aren’t that critical; however, it is common for hackers to chain them together into one massive attack – a situation that only manual testing can simulate. Manual testing excels at finding business logic errors because humans are better at understanding complex workflows and business logic than automated tools. And it is necessary for a human to look closely (thoroughly test) high-value and security-sensitive parts of the application.
Using the right tool for the job really makes a difference. Make sure your application security toolbox includes the right balance of automated and manual testing for complete testing coverage.