Web Security Tools are not the magic solution to the web security problem. They help discovering a plethora of vulnerabilities in a fully and semi automated fashion, indeed. However, they could also miss quite a few issues especially when used by inexperienced testers. So, is it still beneficial to spend time and money running security tools? The answer to this question is yes, of course yes. Here are a few pointers that you should consider if you are still in doubt.
You see, web security tools, like scanners, fuzzers and so on, are noting more but fancy unit/integration tests with a specific purpose. If you understand the benefit of integration tests you should also understand the value in automated security tests. They are pretty much in the same group of tools that are designed to enable you deliver more coherent systems. Web security tools are concerned about vulnerabilities however they can also be used to stress-test the integrity of your application because they usually generate a lot of unexpected input.
In a perfect world, the developer should write the security tests as part of their testing-kits. Unfortunately the web security field is very niche and technical and it could be intimidating and overwhelming at times. There are two options, which are equally beneficial. You can either train your developers to become also good security testers, or you can equip them with automated security tools so that at least the low-hanging fruit is captured. Depending on your organization type and size you may choose one or the other or even both. I believe most mature companies out there practice both.
Seriously there is nothing to loose and security tools actually do not cost as much as you think. I will give example with our most expensive product, the Enterprise Pack. At the time of writing, the Enterprise Pack costs nearly
$5K per month. That is expensive and not for everyone. However, this solution can be used by 500 developers which means that it costs about a
$10 per-developer, per-month. Is this still expensive? If you look at the problem from a different angle, the whole solution will cost nearly
$55K per-year and can be used by
500 people while for the same amount of money you cannot hire even a single security tester.
I hope that I managed to convince you to consider incorporating some security tools as part of your development workflow. It is not really that difficult and the benefits are overwhelmingly more than the cost. Pick up any vendor you like and give it a go.