Cracking Drupal - third way http://crackingdrupal.com/taxonomy/term/37/0 en Scalable application assessments in the enterprise http://crackingdrupal.com/blog/greggles/scalable-application-assessments-enterprise <p><a href="http://twitter.com/tomwparker">Tom Parker</a> &amp; Lars Ewe of <a href="http://www.cenzic.com/">Cenzic</a> discussed automated and manual testing and how to scale those practices to large enterprises.</p> <p>One big question they posed was "How often are you scanning your applications?" And the basic point is, we don't run virus scanners one time we run them regularly and the same should apply to application scanners.</p> <p>They contend that there are two major schools about scanning</p> <ul> <li>Automated testing is the only practical and financially scalable solution.</li> <li>Manual testing is the only valid solution.</li> </ul> <p>We just had a session about why automatic testing isn't enough <a href="http://crackingdrupal.com/blog/greggles/application-security-beyond-scanner-monkey">Application security beyond the scanner monkey </a> - but at least automated testing can make manual testers more efficient.</p> <h3>Why manual assessments don't scale</h3> <ul> <li>It's hard to find good people</li> <li>People are inconsistent</li> <li>So, fully manual testing tends to be expensive (about $140k/year) and how many applications can this person review per year at that rate?</li> </ul> <h3>History of scanners</h3> <ul> <li>People had manual testing and built tools to make it easier - like proxies.</li> <li>Some special purpose suites emerged like sql injection helpers.</li> <li>More and more automated tools were developed.</li> <li>Automated tools that covered a broad set of features are now available, but may provide too many false positives while also giving a false sense of security - they are very difficult to run properly.</li> </ul> <p>So, as has been said before, scanners are just a part of a full solution but they can be a very important part for reducing costs and making people more effective.</p> http://crackingdrupal.com/blog/greggles/scalable-application-assessments-enterprise#comments automated scanning manual scanning third way Fri, 13 Nov 2009 15:51:18 +0000 greggles 43 at http://crackingdrupal.com