Automated security testing technologies can seriously damage the web applications they are used against. Therefore, it is often recommended to perform automated tests only against systems in demo, testing or pre-production environments. If you target a web application, which performs many database operations, such as updating or inserting new records, some of the following things can occur:
- Denial of Service (DoS) and data unavailability
- Unnecessary or unwanted records in databases and log files
- Trigger of unnecessary or false security alarms
- System crash, malfunction and general instability
A combination of automated and manual testing is often the only way to minimize any damage during testing and maximize vulnerability detection coverage. Automated tools can be used pre-production or during the development.
The key is to test early and test often. Providing your development or quality assurance teams with tools to do their own security testing is preferable and generally leads to more education about web security and more quality code avoiding all the costs and risks associated with later stage testing when the application is already deployed in production.