Jeremiah released a really interesting survey he did today on some broad web application security questions he asked of some security professionals. Now I feel bad that I didn’t answer it myself when he sent it to me, but I would have skewed the results in almost the same way everyone else did so maybe it’s not that bad. From a security perspective it’s really interesting seeing what other professionals think about certain things. Maybe the sample size is slightly too small to be exact, but really there aren’t that many true web application security professionals out there, so maybe this IS the statistic.
The most interesting statistic that I found was the percentage of people who use web application security scanners for their penetration testing. 71% of the users polled said “never”. Ouch! That smacks of some serious issues with either functionality or perception of the scanners out there. What are the reasons why though? Why is it so difficult to test for web application security issues from an automation perspective?
The obvious answer is because there are just so many tests to be performed and there isn’t enough intelligence built into the scanners that even when they happen accross an issue they can’t reasonably tell what the issue is or what it means. They can only tell you which bucket it falls into and move on. That’s just not enough. Maybe it tells you where to start looking for some of the obvious low hanging fruit, but does it make a serious enough dent in over all vulnerability assessment to consider yourself secure? Well it stands to reason that the experts would say no based on the results Jeremiah came back with today. Interesting.