The Slow Death of Manual Testing

We’ve seen the future and the future is scary...2014-06-04_11-51-21.png

 

If you pay attention to the security industry at the moment, you find that a lot of other businesses in the industry are going the route of enterprise security management service providers.

 

Managed services allow organizations to outsource management and operations of security functions to other companies. This makes a ton of overhead and work disappear for the customer, which is great. It also allows on-demand availability of services and usually can tie into custom organization metrics or provide security analytics that are essential to clients. This is all great stuff. 

 

The thing that alarms us is a shift in testing type that most companies are following. We've seen many shops moving away from manual testing to fully automated testing to facilitate being a managed service provider.

 

2014-06-05_1-36-30.pngThere are several arguments for automated versus manual testing when it comes to web/mobile applications. There is even more conjecture when it comes to dynamic and static security analysis. The bottom line is that in order to have a successful security assessment you need to have both. Research shows a purely automated tool can miss critically important things like logic vulnerabilities, deeply hidden application functionality, and often has no context of what application specific sensitive content is. 

 

One thing that Fortify on Demand has always been very cognizant of is the role of the manual tester in a managed service provider model. Our testers truly “think like a bad guy.”

 

We cut our teeth on being a managed service before many other companies even thought about it. When Fortify on Demand was created we folded in all aspects of our groups together to make a service that didn't lose any of the power of the manual tester along with the automation and speed of the managed service. 

 

That's why Fortify on Demand employs a huge team of manual testers that both validate and go beyond what its flagship products Fortify SCA and WebInspect do. Every assessment is handled by a security engineer and validated. In our premium services we perform a full manual methodology covering web/mobile/static analysis/penetration testing.

 

When shopping for an assessment service, make sure your assessments are augmented by professionals. Bad guys don’t stop at running a scanner on your site, neither should your service. 

 

As always, feel free to reach out to us here at Fortify on Demand at with any questions via Twitter (@hpappsecurity) or via email  (fodsales(at)hp.com).  We'd love to hear your questions or comments about our manual testing and how it affects your organization.

 

---------

 

About HP Fortify on Demand

 

HP Fortify on Demand is a cloud-based application security testing solution. We perform multiple types of manual and automated security testing, including web assessments, mobile application assessments, thick client testing, ERP testing, etc.--and we do it both statically and dynamically, both in the cloud and on-premise.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.