Testing, Tuned to Requirements
I offer consultancy and testing that is tuned to a particular client's requirements. My testing procedures are based on years of experience in the field, not the blind running of automated test systems. I wouldn't normally run an off the shelf scanning tool unless either I or the client thought it might reveal something of interest.
My normal practice is to seek out those areas of the application that experience tells me might be weak, and then attack them directly. There's a description of what I typically look for here.
The Case for Automation
Automated tools do have their place, of course. I wouldn't attempt to brute force a password by hand, for example, and some tools represent a useful optimisation or opportunity for time saving. I have an arsenal of tools that I've written myself, and frequently modify and adapt them for use with new client's systems. Given the way I work, clients won't receive a report from me that simply consists of a printout from a set of automated tools.
Knowledge and Experience
Experience counts in this field. I understand how hackers think, and how a hacker might examine a system looking for weaknesses. I also know how web applications work and how their developers think. I understand the pressures of deadlines and can see where code might get complex. I know how these factors can affect system security and use them to home in on potential weakspots.
I'm also happy to do revalidation work for previous clients. When a system has been "fixed" or new features rolled out, I'll either rerun my tests or run specific new ones to check the areas that need revalidation.
