Practice Makes PerfectYou know the saying about riding a bicycle – do it once and you’ll remember it forever? That may be true for bicycles, but it’s certainly not the case when it comes to web security testing. The tools we use and the flaws we’re attempting to find evolve over time. Your web scanner experience plays an important role in the success of your web security testing.

Keep in mind that not all experience is good experience. As with golf, driving, or any other sport or trade, experience (I call it “seat time”) doesn’t automatically translate into good experience. Be it a golf club, race car, or web vulnerability scanner, if you continually use it in all the wrong ways, then you’re not going to realize the best results.

The tools we have at our disposal in information security are more complicated than many people think. Can you imagine radiologists, home inspectors, or auto mechanics not being formally trained in the tools they rely on in their work? Why should we be any different? The formal training part is hard to come by in our profession but that doesn’t mean you can’t learn what needs to be learned.

Spend some time reading through the Help and related documentation for your scanner. Scan the test sites that most vendors provide in their web vulnerability scanners. Don’t be afraid to tweak your scanner’s settings to see what works best and finds the most flaws. Look for videos on YouTube that your vendor or others have created showing you the latest tips and techniques for getting the most out of the scanner. You can even consider taking classes on ethical hacking where you can learn some of the essentials in a hands-on lab environment.

With every new web vulnerability scan comes a new learning experience. Building on what we learn, we can tweak our scanners and use them better to our advantage. Even if you’ve been using your scanner for years, there’s always something more to learn – something more to get out of it. Developing these skills will translate into better web security assessment results and everyone ultimately benefits.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.