News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael R. Farnum's picture
Michael R. Farnum

Hitting the Security Nerve

More posts | Read bio

August 3, 2007 - 7:55 P.M.

Automated application security tools - useful, but not a replacement for human eyes and brains

2 comments

I was speaking with someone at a small security conference this week, and she was asking about how our application security team performed their assessments.  She was wondering specifically if we used automated tools or used manual processes.  My answer was, "Yes."  She laughed because I'm witty and cute, ...er, I mean, because she understood what I meant.

What I told her was that each method had its uses.  My company has a lower-cost offering where we will use just tools to scan apps, but we always give the caveat that the tools will typically only catch the low hanging fruit, which are the more obvious vulnerabilities.  But if the company needs a more in-depth analysis of the security of the application, then their is no substitute for the well trained and extremely talented application guru who is also trained in the fine arts of secure coding (did I just use contradicting terms?).

Then today I read this post over at the GNUCITIZEN blog, which references Jeremiah Grossman's post about the same thing.  Jeremiah shows his frustration with some companies that put out these products because they say they can check for certain problems, but in the real world, they fail to perform as promised by marketing.  Now granted, Jeremiah's company has their own app security tool, so that has to be taken into consideration when looking at his post (not saying he is dishonest, but maybe biased a little).  But Jeremiah's company also combines testing by real people with the tool, which makes for a much better result (I have never used Jeremiah's services - I just know the one-two punch is more effective).

So, the point is that if your business is satisfied with the level of check performed by automated tools, then you can have a decent level of comfort knowing that many of the most obvious problems will probably be caught.  But if you want to protect against the dedicated bad guy who really wants your data, then you need to look at some personal attention.

What People Are Saying

Add new comment

interesting

Submitted by Andrew on February 22, 2009 - 4:54 A.M.

Thanks, it's realy interesting

Reply | Report this comment

"Then today I read this post

Submitted by Cheap cigarettes on November 4, 2007 - 9:59 A.M.

"Then today I read this post over at the GNUCITIZEN blog, which references Jeremiah Grossman's post about the same thing."
OMG! It's fake!

Reply | Report this comment

Related Posts

Latest threat vector: Our mobile devices
Obama Drupal-ing around; whitehouse.gov goes open source
Testing Microsoft Security Essentials and the Hosts file
Spammer trick of the month: Delayed DNS

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
Elpida inks DRAM tech, outsourcing deal with Taiwan's ProMOS
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.