Practice Makes PerfectYou know the saying about riding a bicycle – do it once and you’ll remember it forever? That may be true for bicycles, but it’s certainly not the case when it comes to web security testing. The tools we use and the flaws we’re attempting to find evolve over time. Your web scanner experience plays an important role in the success of your web security testing.

Keep in mind that not all experience is good experience. As with golf, driving, or any other sport or trade, experience (I call it “seat time”) doesn’t automatically translate into good experience. Be it a golf club, race car, or web vulnerability scanner, if you continually use it in all the wrong ways, then you’re not going to realize the best results.

The tools we have at our disposal in information security are more complicated than many people think. Can you imagine radiologists, home inspectors, or auto mechanics not being formally trained in the tools they rely on in their work? Why should we be any different? The formal training part is hard to come by in our profession but that doesn’t mean you can’t learn what needs to be learned.

Spend some time reading through the Help and related documentation for your scanner. Scan the test sites that most vendors provide in their web vulnerability scanners. Don’t be afraid to tweak your scanner’s settings to see what works best and finds the most flaws. Look for videos on YouTube that your vendor or others have created showing you the latest tips and techniques for getting the most out of the scanner. You can even consider taking classes on ethical hacking where you can learn some of the essentials in a hands-on lab environment.

With every new web vulnerability scan comes a new learning experience. Building on what we learn, we can tweak our scanners and use them better to our advantage. Even if you’ve been using your scanner for years, there’s always something more to learn – something more to get out of it. Developing these skills will translate into better web security assessment results and everyone ultimately benefits.

Kevin Beaver

Kevin is an information security consultant with 30 years experience, providing independent security assessments and penetration tests, security consulting and virtual CISO services, writing and security content development, and speaking engagements keynotes, panel discussions, and webinars.