Like chemists, carpenters and doctors, those of us working in IT need good tools if we’re expected to do a good job. When dealing with application security, good security testing tools will always set the professionals apart from the amateurs. In fact, the quality of your tools for performing a site security audit will have a direct impact on the number of vulnerabilities you discover and the overall success of your testing.
Many have argued – myself included – that you cannot rely on tools alone to find all security vulnerabilities. This is absolutely correct. In all but the most basic security checks, you have to rely on experience and technical knowledge to root out the less-than-obvious vulnerabilities that blackbox scanners simply cannot find. That said manual testing alone is just too time consuming, limited and, for many, downright difficult. A good balance of tools and manual analysis is needed.
The major issue here is that selecting ineffective security testing tools can be a costly venture. I’ve burned thousands of dollars and countless hours on tools that seemed like a good fit based on their tricked out websites and fancy marketing slicks. But talk is cheap so buyer beware. You have to take these tools for a spin to see if they’re going to be a good fit based on YOUR style inside YOUR environment, and based on YOUR business needs.
Whether you’re doing the actual work or just want to make sure your IT and security staff members are using what’s best for the organization, the simple truth is that good security audit tools can and will make a difference. Always remember that there is no one best tool but if you’re smart about your approach you shouldn’t have to spend a lot of money to get the job done right. If you invest a relatively small amount time researching, asking prospective vendors tough questions and actually trying the tools before you buy them, then you can’t lose.
When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish. Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems. At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook.