Educause Security Discussion mailing list archives
Re: Experiences with Web application vulnerability assessment (1) software (2) companies
From: "curtw () siu edu" <curtw () SIU EDU>
Date: Wed, 27 Feb 2008 23:09:14 -0600
I've used various webapp assessment scanners over the years and have found value in them, especially for the bruteforce-try-out- many-directories-and-filename issues and generic SQL injection indicators, but they only go so far. Manual assessment has been of more value to me, however it usually takes a long time. Using Paros, webscarab or other proxy (I'm wanting to try out Burp but haven't had the opportunity yet) and carefully analyzing how things are being processed has been very useful. I'm curious to know others experiences with consultants and vendors when webapp assessment is not performed in-house. I'm sure I'm not the only one who struggles to keep up with this fast moving area while keeping up with many other fast-moving areas at the same time (and trying to keep some sanity!) cw ---------Included Message----------
Date: 27-feb-2008 16:59:16 -0600 From: "Halliday,Paul" <Paul.Halliday () NSCC CA> Reply-To: "The EDUCAUSE Security Constituent Group
Listserv" <SECURITY () LISTSERV EDUCAUSE EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Experiences with Web application
vulnerability assessment (1) software (2) companies
Seconded. Automated tools are great for quickly identifying potential
problem areas or to satiate your resident auditor with a pretty graph. If this is where the assessment stops however, you are doing yourself a disservice. The Achilles heel in most well designed web applications is likely to be missed by all but the most persistent, thorough and oftentimes unorthodox eye. It is here that these solutions usually outlive their usefulness. Save your money and invest in skilled people.
That said, has anyone played with CDC'c Goolag Scanner yet? ;) -p ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on
behalf of Hull, Dave
Sent: Wed 2/27/2008 4:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Experiences with Web application
vulnerability assessment (1) software (2) companies
I have used Web Inspect, but it's been a year and a half. My
experience
was that it was decent, but like many similar products had a
high number
of false positives nor does it catch everything. For really critical web applications nothing beats a well
trained Q&A
team with time, tools and access to the source code. Again it's
been a
year and half since I have done line-by-line code review
professionally,
but at that time it was more effective at finding flaws than
any of the
automated tools I tried. Obviously it's not as fast to do it by
hand.
It's that old trade off between fast, cheap and accurate. Pick
two.
-- Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI Director of Technology KU School of Architecture & Urban Planning Tel. 785.864.2629 Fax 785.864.5393 "The free world says that software is the embodiment of
knowledge about
technology, which needs to be free in the same way that
mathematics is
free." -- Eben Moglen, Software Freedom Law Center -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Morrow Long Sent: Wednesday, February 27, 2008 11:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Experiences with Web application
vulnerability
assessment (1) software (2) companies Have any schools had an experiences with Web application
security
vulnerability assessment (1) software -- (nstalker, appscan, etc.) (2) companies / consultants who perform such services Post to the list or to me. I'll summarize. H. Morrow Long University Information Security Officer Director - Information Security Office
---------End of Included Message----------
Current thread:
- Experiences with Web application vulnerability assessment (1) software (2) companies Morrow Long (Feb 27)
- <Possible follow-ups>
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Gary Dobbins (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Johnson, Kevin (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Roger Safian (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Hull, Dave (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Randy Marchany (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Hull, Dave (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Halliday,Paul (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Petreski, Samuel (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Alex (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies curtw () siu edu (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Darwin Macatiag (Feb 28)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Alex (Feb 28)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Bob Doyle (Feb 29)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Darwin Macatiag (Feb 29)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Jon Hanny (Mar 03)