Quote:
Originally Posted by alcstrategy
With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.
There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.
|
I would do both. We use scanners and human beings and try to pour over code as well as cover similar scenarios to what we've seen in the numerous hackings we've encountered and continue to encounter over time. Nothing is 100%. Scanners will miss things and so do experts. I would never hire a security expert who was naive enough or enough of an egomaniac to tell me otherwise but I totally agree with you that if someone can afford it they're far far better off hiring someone who specializes in security than relying on a developer for this.