I am very skeptical of tools that find security flaws automatically.
I am enthusiastic about automation.
The holy grail is to strip away all the tedium from testing, leaving only the mental challenge of finding and exploiting the broken assumptions of our adversary developers.
Burp Suite does a very good job here. sqlmap crosses the line for us. But that doesn't make it a bad tool.
>I am very skeptical of tools that find security flaws automatically.
I am enthusiastic about automation.
Just my $0.02 here, since I think tptacek has it covered (as usual). The way I explain use of automated tools to our clients is that, yes, the assessment you're paying for is to have a skilled security expert manually assessing your application. That said, in order to get the most efficiency out of manual testing, those parts which can be easily automated should be.
A few trivial examples would be finding open ports, or detecting expired/weak SSL certificates. Sure, an engineer could manually connect to all 65535 ports to see if they're open, and manually grab banners, or he could just run `nmap -p- -sV hostname`. Similarly, he could use openssl to check all aspects of an SSL certificate, but why bother when there are tools to do this for you?
The same is true in application security, although the examples can be a little fuzzier (pun intended?). The more seamless automation can be integrated into testing, the more time for manual analysis can be allotted. I think this is the point that tpatacek was making, and just wanted to expand upon it for those that might be a little confused.
I am enthusiastic about automation.
The holy grail is to strip away all the tedium from testing, leaving only the mental challenge of finding and exploiting the broken assumptions of our adversary developers.
Burp Suite does a very good job here. sqlmap crosses the line for us. But that doesn't make it a bad tool.