Pentest People take a look at the differences between automated
and manual Web Application Testing
A vulnerability scan uses automated tools to look for ‘low hanging fruit’ which is loosely defined as obvious vulnerabilities that require little or no skill to locate. Vulnerability scanners are not intelligent, they are good for finding vulnerabilities such as ‘Missing HTTP security headers’ like X-frame options missing from HTTP responses, however, they will not identify business logic vulnerabilities like the ability to view one user's data from another account. These should, in no way, be considered full penetration tests.
Similar to a penetration test, the vulnerabilities discovered, and mitigation advice will be issued in a report, however, the findings will not be verified, nor will a proof of concept be created. The findings from the automated tools are trusted, which will typically include false positives. The verification of these issues will be down to the company in question.
Pentest People Are Trustworthy & Experienced
Which Option is Best?
A Penetration Test should always be performed before any automated security scanning. Automated scanning does not provide a thorough assessment of the application.
A report with no critical or high risk vulnerabilities from an automated scan cannot be considered a clean bill of health for the application.
Once a full penetration test has been completed, vulnerability scanning should be arranged at quarterly intervals.
A Penetration Test is a snapshot in time, quarterly vulnerability scanning should be undertaken to look for any obvious changes between penetration tests.