Every now and then, I dabble in coding. Every time I develop software, I realize that writing code that does what it supposed to do is not all that hard. However, writing code that does exactly what it supposed to do, and only what it is supposed to do, is incredibly hard.
Automated application testing is a very valuable tool. Systematic and complete checking of all inputs and outputs is something that is incredibly tedious, labor intensive, and as a result, takes a lot of time and patience. That also makes it a very expensive process to do manually.
Good tools are available to test each input element and each output element of a web application, and their use should be far more wide-spread than it is now.
Web application security is about much more though; it involves session handling, authentication and authorization, access control, cookie theft, replay attacks, URL manipulation, intrusion detection (and prevention), etc., etc. Good people who understand these issues in-depth are rare and deserve all the credits that one may give them.
In addition to using automated tools to test the application, peer-review of code is a good thing and it may catch ugly solutions or design flaws. Using "eyes on lines" it becomes much easier to catch backdoors, or other code vulnerabilities that might not be obvious to find using automated tools.
All in all, we need to do much more quality control on code before it gets released. Automated testing tools must be run before code gets released and careful peer-review of code should be embedded in the full software development cycle.