Application security beyond the scanner monkey

Matt Fisher of Piscis Security gave a discussion about security beyond the "scanner monkey" phase. Scanner monkeys being people who run a scanner tool, get the output, and think they are done with a vulnerability assessment. There are more and more scanners - commercial, proprietary, and open source - and yet they are no longer good enough.

• The scanners only start the process, they don't end it.
• The person running the scanner is likely not talented enough to configure it properly.

Perhaps the best quote from the presentation is "we don't fix cars by placing a screwdriver and wrench on the hood and hoping that things get fixed - we need talented people who use tools to fix things."

So, utlimately this presentation suggested that scanners are a part of the solution and that ultimately we need:
* Front end scanners, static code analysis
* Interviews with the developers
* Reviews with whomever manages the hardware/software of the application
And on and on.

It was clear what the takeaway was other than "you should work harder" which is certainly true, but not really motivating or useful to hear.