Differentiating the Pros and Cons of Automated Security Testing

Advantages of Automated Security Testing

▪ Scalable

▪ Repeatable

▪ Automatically block builds when tests fail (gating)

▪ Security becomes a habit, a standard in the development process

▪ Test results can change over time even if the code doesn’t change

Disadvantages of Automated Security Testing

▪ Scans can take a long time

▪ Tools are generic

▪ False positives can get in the way

▪ Configuring and maintaining relevant tests is a continuous cost

▪ Security is not static, so test parameters should change over time

When Automated Security Testing Is Useful

▪ Investment versus reward

▪ When delta scans are easy

▪ To comply with standards

▪ To get a security baseline

When Automated Security Testing Is Less Useful

▪ Investment versus reward

▪ Complex business rules

▪ Fast-changing environments

▪ Mix of frameworks and languages

Some advice for using tools

▪ Use more than one tool for the same kind of test

▪ Let the team experiment with different tools

▪ Reporting format can make a difference

▪ Implement what works best for the team

▪ Facilitate, not mandate

▪ Know what to do with non-compliance results before implementing scans