Conducting a Web application vulnerability assessment is both a science and an art. The way you approach it will depend
on your objectives, your security test policy, and your skill level. There are many different tools and techniques that
can be employed.
Automated security testing tools alleviate a lot of the tedious work involved in security testing. Also, automated
tools enable developers and QA specialists who are not security experts to perform vulnerability assessments of their
Web applications.
If you are using an automated tool, your first step will be to configure your security scan based on your test policy
and the characteristics of your test target. After running the scan, you will need to verify each finding and remove
false positives.
Skilled security auditors may choose to perform additional manual tests, which were not covered by the automated
scanner.
Sometimes, security testers face a challenge when communicating their findings to application owners and developers, because
their reports of vulnerabilities might be met with a degree of skepticism. In some cases, the security testers might
need to exploit certain key vulnerabilities, so that they can demonstrate the threat to the application stakeholders.
Furthermore, during the process of exploiting identified security vulnerabilities, a security auditor could find
additional vulnerabilities.
|