Why manual web application security testing matters most, the reason for pick this topic to talk in this blog is from observation, we found out that most of the people, involved IT security officer have tendency for go for hassle free by purely adopted automated web application security testing, with the reason it seem manual web application security testing, despite can provide better coverage and even cover areas automated web vulnerability scanner can not be cover and exploit and hack the web application, but the do not confidence able to perform it, when it seem how other capable to bypass client side form authentication or manipulate it before submit back to web application server to process the session.
Partially, it is the commercial misleading for those automated web application security testing vendors to not disclose the truth that for the holistic web application security testing, what their tool can do, and what else they can not do. 99% of the web applications in the internet got at least one vulnerability, but whether that vulnerability is a threat to your organization or not, subject to threat modeling and vulnerability exploitation testing. Threat modeling, no any vulnerability testing tool vendor can help you to automate it yet, you need to exercise threat modeling before technical vulnerability management, so vulnerability can fall into the right perspective and context to be acted on. Automated web vulnerability scanner, behind the scene is based on script, no all the testing scenario can be cover by that, and so, the value for the manual web application security testing tool is keep rising, as more and more educated IT security customer finally realize that, in particular they are missing lot of the vulnerability that can not be detect, and missing them into threat modeling, end up being hacked, and them they start to look into the scenario.
Hacker will not be using automated web scanner, the most they are use manual web testing tool to manual exploit and get what they want, so, for effective cyberdefense, you always need to have the complete coverage for your application security, and testing it in the holistic approach, no just pure auto, where your developer challenge you, you can not even able to answer how you are testing it. Compared with manual testing, you can always repeat it in front of the developer, and they are more likely to listen to what you explain how you discover the vulnerability, by performing certain steps and end up exploiting the application.
It’s just like learning how to swim, once you get used to manual testing tools, you can always complement it with your automated web scanner, to get the best for the both worlds. So, make sure you know and help to do the right things to support your organization in the right way. Everything can be learned, if you are really in the profession, it always makes sense to learn the best for your organization.
E-SPIN Group in the enterprise ICT solution supply, consulting, project management, training and maintenance, for multinational corporation and government agencies, across the region E-SPIN do business, since 2005. Application security testing (AST) is always one core pillar of the business we supply and maintain for customers along the years. Feel free to contact E-SPIN for a complete solution or your project inquiry.
