Security testing is a very important and critical process for any organization. Once an organization lose any confidential data due to security breach they also lose client trust and ultimately revenue.
Implementing the security testing process early in the SDLC is the key as it finds out and fixes the security bugs early in the SDLC lifecycle. Security testing process can be performed in two ways, Automated or Manual web application security testing.
Automated Security Testing
Automated security testing can speed up the testing process with very little effort. Automated security testing tools are good in findings common vulnerabilities (for example XSS, SQL Injection) within a very short time. However, automated scanning tools provide lots of false-positive issues that need to be verified by manual security tester.
Testing a large website manually is a very tedious task for manual security tester as they have to test one by one URL. Automation tools can help the tester to find out basic vulnerabilities quickly and they can focus their time on findings business logic and other security issues which tools cannot find.
Security compliance like PCI DSS required automated security testing (requirement 11.2) to be performed on a regular basis. Organizations are now implementing DevOps and CI/CD models to accelerate application delivery. Automated security testing is supporting the speed requirement in DevOps and CI/CD models.
Web application security testing tools that test web applications, normally as a black-box approach, to look for security issues such as XSS, SQL Injection etc. This category of tools is referred to as Dynamic Application Security Testing (DAST). A large number of both open source and commercial tools are available and these tools have their own strengths and weaknesses.
Example of open source DAST tools: OWASP ZAP, Nikto, SQLMap etc.
Example of commercial DAST tools: AppScan, Web inspect, Acunetix etc.
Manual Security Testing
Manual security testing is performed by Pentester who uses his personal skills and experience to find out the vulnerabilities in the application. Some categories of vulnerabilities, such as authorization and business logic flaws, cannot be found with DAST tools and will always require skilled Pentester to find them. Manual security testing is a time-consuming process and required application understanding to perform the test.
The Pentester also utilizes some tools to perform testing like customized scripts, proxy tools etc. Unlike automated security testing, false positive issues are not found in manual security testing.
Automation alone is not capable to ensure that an application is thoroughly tested from a security perspective. The application that holds sensitive data required safe to host approval from Pentester.
Manual and automation web application security testing complement each other. Both are equally important processes with the same goal. The organization has to balance both the process to secure the application.
The organization must use both methods, by beginning with automated security testing and supplementing that with manual penetration testing.