Educause Security Discussion mailing list archives

Re: Experiences with Web application vulnerability assessment (1) software (2) companies

From: Bob Doyle <bobdoyle () KELLOGG NORTHWESTERN EDU>
Date: Fri, 29 Feb 2008 17:35:57 -0600

Has anybody looked into or used any static code analyzers like SPI/HP's devInspect plug-in for Visual Studio to 
supplement process elements like design and code review?

I'm looking for additional tools that can help our developer's find security holes before the dynamic scanners catch it 
in Q+A or production.

Thanks,
Bob




From: Alex [mailto:alex.everett () UNC EDU]
Sent: Thursday, February 28, 2008 11:11 AM
Subject: Re: Experiences with Web application vulnerability assessment (1) software (2) companies

Darwin,

That is really the right place to be involved. However, it doesnt necessarily solve the problem that a lot of 
applications are already in production and were never designed with security requirements. Additionally, the people who 
designed or were in charge may no longer be available.

-Alex

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Darwin 
Macatiag
Sent: Thursday, February 28, 2008 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experiences with Web application vulnerability assessment (1) software (2) companies

I've been involved in the development process in the form of security design reviews and code reviews as well as the 
manual and automatic webapp pentests in the private sector.  A lot of times it turned out the most productive use of 
time is spent during the design reviews.  The major security issues are found during this time and the amount of time 
spent is pretty small (second only to an automated pentest).  The code review will tend to locate the most security 
issues however it tends to be extremely time consuming but some of the automated tools such as Fortify (commercial) and 
PMD (open source) help.  Pentests in QA and production were used as the last stopgap since things always fall through 
the cracks in large projects.

Darwin


"curtw () siu edu" <curtw () SIU EDU>
Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>

02/27/2008 09:09 PM
Please respond to
The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>


To

SECURITY () LISTSERV EDUCAUSE EDU

cc

Subject

Re: [SECURITY] Experiences with Web application vulnerability assessment (1) software (2) companies







I've used various webapp assessment scanners over the years and
have found value in them, especially for the bruteforce-try-out-
many-directories-and-filename issues and generic SQL injection
indicators, but they only go so far. Manual assessment has been
of more value to me, however it usually takes a long time. Using
Paros, webscarab or other proxy (I'm wanting to try out Burp but
haven't had the opportunity yet) and carefully analyzing how
things are being processed has been very useful.

I'm curious to know others experiences with consultants and
vendors when webapp assessment is not performed in-house. I'm
sure I'm not the only one who struggles to keep up with this
fast moving area while keeping up with many other fast-moving
areas at the same time (and trying to keep some sanity!)

cw


---------Included Message----------

Date: 27-feb-2008 16:59:16 -0600
From: "Halliday,Paul" <Paul.Halliday () NSCC CA>
Reply-To: "The EDUCAUSE Security Constituent Group

Listserv" <SECURITY () LISTSERV EDUCAUSE EDU>

To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Experiences with Web application

vulnerability assessment (1) software (2) companies


Seconded.

Automated tools are great for quickly identifying potential

problem areas or to satiate your resident auditor with a pretty
graph. If this is where the assessment stops however, you are
doing yourself a disservice. The Achilles heel in most well
designed web applications is likely to be missed by all but the
most persistent, thorough and oftentimes unorthodox eye. It is
here that these solutions usually outlive their usefulness. Save
your money and invest in skilled people.


That said, has anyone played with CDC'c  Goolag Scanner yet? ;)

-p

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on

behalf of Hull, Dave

Sent: Wed 2/27/2008 4:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experiences with Web application

vulnerability assessment (1) software (2) companies




I have used Web Inspect, but it's been a year and a half. My

experience

was that it was decent, but like many similar products had a

high number

of false positives nor does it catch everything.

For really critical web applications nothing beats a well

trained Q&A

team with time, tools and access to the source code. Again it's

been a

year and half since I have done line-by-line code review

professionally,

but at that time it was more effective at finding flaws than

any of the

automated tools I tried. Obviously it's not as fast to do it by

hand.

It's that old trade off between fast, cheap and accurate. Pick

two.


--
Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI
Director of Technology
KU School of Architecture & Urban Planning
Tel. 785.864.2629
Fax  785.864.5393

"The free world says that software is the embodiment of

knowledge about

technology, which needs to be free in the same way that

mathematics is

free."
-- Eben Moglen, Software Freedom Law Center



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Morrow Long
Sent: Wednesday, February 27, 2008 11:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Experiences with Web application

vulnerability

assessment (1) software (2) companies

Have any schools had an experiences with Web application

security

vulnerability assessment

(1) software -- (nstalker, appscan, etc.)

(2) companies / consultants who perform such services

Post to the list or to me.  I'll summarize.

H. Morrow Long
University Information Security Officer
Director -  Information Security Office

---------End of Included Message----------

Current thread:

Re: Experiences with Web application vulnerability assessment (1) software (2) companies, (continued)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Roger Safian (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Hull, Dave (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Randy Marchany (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Hull, Dave (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Halliday,Paul (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Petreski, Samuel (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Alex (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies curtw () siu edu (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Darwin Macatiag (Feb 28)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Alex (Feb 28)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Bob Doyle (Feb 29)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Darwin Macatiag (Feb 29)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Jon Hanny (Mar 03)