Web application security is interesting to test, in particular because, unlike most network and operating system testing, most web applications are custom-built. Even when they’re not custom-built, there’s enough diversity out there that simply looking for known problems isn’t good enough. You need to review the application itself.

At one of my previous employers, we had a good system for reviewing all web applications with a couple of commercial scanner tools; applications could not be deployed into production until the results of those scans were acceptable. Application scanners do not, of course, catch everything — there are always esoteric conditions that are easily missed in automated tests. Manual testing has an important place in assessments. Automated testing, though, does have a number of advantages.

The link for this article located at Caffinated Security is no longer available.