Automated vs Manual Testing

By definition, automated testing is where a one piece of software is used to test another piece of software in compiled or source code form. On the other hand, manual testing is the process where a person is performing the tests directly by hand.

Pros and Cons

There are a number advantages and disadvantages in both approaches. While manual tests benefit from the fact that the test is executed by a real, thinking person and therefore the quality of the test tends to be better to a degree, this approach doesn't scale well especially for larger pieces of software. Additionally, manual tests often provide inconsistent and difficult to verify results.

Automated tests on the other hand, are consistent and scale well especially with very large application. Results are verifiable and easy to reproduce. The disadvantage of automated testing practices is that the rate of false-positives may be high and therefore the outcome of the test may not be particularly useful.

The best approach is often to combine automated and manual tests. Automated tests are very useful at the initial stages where the requirement is to cover as much area as possible. The results from the test are analyzed and manual investigation is performed in the areas that seem critical. The process can be repeated until a satisfactory level of coverage is reached.

The key thing to remember is that there is no definite approach when it comes to web application security testing. It is down to the penetration tester to choose the best approach for the application that is to be tested.