Penetration Testing mailing list archives
Re: Vuln Scanner for Web App Source Code
From: Mike Duncan <Mike.Duncan () noaa gov>
Date: Thu, 22 May 2008 14:02:32 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason wrote:
Fortify and Ounce both have source code scanners and both are quite capable (at least seem to be). I am in the middle of trying to figure out which one to use for our source code analysis projects. Cenzic Hailstorm and SPI Dynamics Web Inspect are vulnerability scanners ONLY and do NOT inspect source code. Same with Paros Proxy, this is a pen testing / VA tool more than anything. I'd still recommend you do manual checks in addition to using a source code scanner. You'll have to to verify the results.
I couldn't agree more. Most of the static analysis products will convert the source code into another format (usually XML based) and then search the content for possible vulnerabilities. With low-hanging-fruit like XSS caused by not sanitizing and checking inputs, these tools are really good. However, most lack in the ability to completely analyze the complete application work flow and see issues in/out of the code base.
-J On 18 May 2008 04:15:50 -0000, cnanne () gmail com <cnanne () gmail com> wrote:This might be a bit of a dumb question, but does anyone know of a good Vulnerability Scanner for finding faults in the actual Source Code of the Web App? Or can this task can only be done by hand? Any feedback on this is highly appreciative cheers, PhoenixRbrth
Mike Duncan ISSO, Application Security Specialist NOAA :: National Climatic Data Center -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINbU3nvIkv6fg9hYRAp9zAJ9lX91nMhMZSzZydwhJ8H26eoi2mACfRCl/ 7V9X8fJ2kO2TzZ+qY2J7upA= =DRWQ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Vuln Scanner for Web App Source Code cnanne (May 18)
- Re: Vuln Scanner for Web App Source Code r (May 18)
- Re: Vuln Scanner for Web App Source Code Jason (May 21)
- Re: Vuln Scanner for Web App Source Code bugtraq (May 22)
- Re: Vuln Scanner for Web App Source Code Mike Duncan (May 22)
- Re: Vuln Scanner for Web App Source Code Haroon Meer (May 23)
- RE: Vuln Scanner for Web App Source Code Kevin Reiter (May 22)
- RE: Vuln Scanner for Web App Source Code NL Nathan LaFollette (2094) (May 23)
- Re: Vuln Scanner for Web App Source Code bigbert007 (May 28)
- RE: Vuln Scanner for Web App Source Code NL Nathan LaFollette (2094) (May 23)
- <Possible follow-ups>
- RE: Vuln Scanner for Web App Source Code FF (May 19)