With so many automated tools around it is no wonder that many organizations choose to automate some aspects of security testing. There is value in doing this, especially when we refer to fuzzing supervised by humans or in automated dynamic or static analysis to catch suspicious or low hanging fruit vulnerabilities early in the development cycle. That is intelligent usage of automation.
However, some people without a security background may be tempted to believe that all that is needed to secure a website or mobile app is to:
- Just run a tool (ideally free)
- Wait for the results
- Fix what comes up
In fact, that is the promise that many software security tool vendors make.
Why does this kind of thinking make attackers feel excited?
Let me get this straight: If automation is all you do for security, if that is the only security testing process you have in place, you are likely far from having a secure website, mobile or desktop app.
Take a step back and think about it:
If security was as easy as running a tool and waiting for the results… why do great companies like Google and Facebook:
- First Heavily fuzz and do automated tests on their own software
- Then employ (really smart) staff who also perform penetration tests internally
- Next hire third-party penetration testing companies for additional tests
- Finally implement bug bounty programs for anything else that was still missed
- They implement 3 layers of penetration testing by humans after automated tests
If automated tests caught everything, why would Google and Facebook do this?
Are you familiar with the BSIMM study?
The Building Security in Maturity Model (BSIMM) is a multi-year study that gathers data about existing software security initiatives in top companies. The BSIMM9 model, built directly out of data observed in 120 firms, revealed that in 2018 87.5% of the companies participating in the BSIMM study used external penetration testers to find security issues.
Can 87.5% of mature companies in terms of software security, as well as Google and Facebook, be wrong? Technically they could, but given the brainpower and deep pockets in those organizations, you would think that there must be some value in manual penetration testing, right?
So, what are the challenges? Why are automated tools not enough?
Why is it so hard for automated tools to find certain types of security issues?
Why are humans still valuable to identify and report certain security vulnerabilities?
We did some research and put together a free report to answer these questions, so next time your boss or business partner says “but we can just scan that web app and we will be OK, right?” you can show proof of exactly why that is not the case.
Get it here: