There is no tool in the world that can fully replace a human when it comes to finding web vulnerabilities. A skilled security researcher is always able to find more than an automated scanner. There is just one problem. With a ratio of thousands of web applications to one skilled researcher, it’s humanly impossible, at least until we invent human cloning.

Do you want to keep your security researchers?

Any company that attempted to recruit a web application security researcher knows that once the word is out it’s unlikely that they’re going to get a flowing stream of applications. It’s rather the opposite: the recruiter has to painstakingly try to pinch experienced candidates from other businesses. To top it all off, it’s just as hard to recruit a junior employee for such a role simply because most universities don’t teach web application security.

The situation can be even direr when you hire a generic IT security expert and expect them to perform the role of a security researcher. Because IT security is such a deeply technical field, people tend to be specialized in only one area. And those who are not specialized are good for managing generic processes, not for finding web vulnerabilities. Don’t believe me? Ask a generic “IT security guy” or a candidate for such a role to explain SQL injections and see most fail miserably.

Therefore, you have absolutely no chance to cover all your web application security needs comprehensively while relying only on human skills. An automated tool is necessary to take most of the mundane work away from the security researcher – let them focus only on advanced vulnerability types that cannot be discovered by a tool.

Using a tool is also necessary to keep the security researcher interested in their work – if they are forced to manually look for the same simple vulnerabilities over and over again, they’re very likely to seek another position where they can grow and have more fun – most likely, in a company that uses automated testing. After all, there are a lot of recruiters hunting for them.

Give some of the work to someone else

Another “DIY myth” is that security researchers should be in charge of running security testing. As a result, a security researcher is stuck using the UI of a tool, while in reality the process could easily be automated. This is a result of the lack of awareness of what modern scanners can do and a perception that they are simple manual tools.

You can easily integrate modern vulnerability scanning into development processes so that the researchers rarely have to manually run the tool. Instead, researchers can be treated as consultants when their help is needed, for example, when a vulnerability scanner encounters something that is difficult for the developer to fix. They can then use all the freed-up time to manually look for interesting issues to make your software even safer and this is most likely going to make them happier with their job.

Are you sure that everything is automated?

You may have a web security scanner integrated into your SDLC but that does not mean that the processes are all automated. If the scanner is unable to verify the vulnerabilities that it reports and provide some kind of proof/evidence of that verification, most companies prefer to have security researchers double-check everything that is reported.

If the researcher is stuck manually verifying every vulnerability reported by an automated tool or even a major part of these vulnerabilities, you’re back to square one just as if you didn’t have an automated tool at all. The researcher is stuck with boring work, overloaded due to the number of issues reported, and very likely to seek employment elsewhere. To avoid that, you need confidence that the tool reports actual vulnerabilities.

A recipe for success

Here’s your three-step recipe to do DIY security right and retain your security researchers:

  1. Automatic detection – use a web security scanner to eliminate the need to manually search for vulnerabilities.
  2. Automatic scanning – use a scanner that can run as part of the SDLC to avoid the need for security researchers to manually use the tool.
  3. Automatic verification – use a vulnerability scanner that is able to confirm/prove vulnerabilities to avoid the need for security researchers to verify vulnerabilities manually.

Acunetix meets all these conditions and more. As a result of using it, your researchers will be happy, interested in their work, and less likely to jump ship, and you can say that your DIY security is working the best way possible.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.