Chapter 8. Automated Security Testing
Why audit code when tools can do it for you?
I once heard a great story to describe the difference between engineers and software developers: If you ask engineers to build a bridge from San Francisco to Japan, they'll just tell you it's impossible. If you ask software developers to approach the problem, they'll just write a little function that built a 1-meter unit of bridge and then put it in a loop until the bridge is finished. Certainly one of the defining characteristics of software developers is the recognition of the computer as a tool to do your bidding for you, and when it comes to tedious tasks like auditing code, why not let the computer do it for you?
Another great comment I've heard was from someone who compared penetration testing with vulnerability analysis tools, as shown in Table 8-1.
| PENETRATION TEST | VULNERABILITY ANALYSIS TOOL |
|---|---|
| A bunch of nerdy guys eating too much pizza | Software |
| Keep working until they've broken into the software and have a simple report | Takes a long time
Not exhaustive Gives lots of false errors |
A vulnerability analysis tool can't give you the same confidence in a web application that a proper penetration test performed by savvy individuals can give you. But it can cut down on the time required to do a penetration test and may give an initial sense of just how bad your security is. In this chapter we'll cover three tools to test Drupal. ...
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
