Penetration Testing mailing list archives
WebApp Pentest: Tool-Chain / Best Practice
From: André Schaller <an.schall () googlemail com>
Date: Mon, 27 Aug 2012 09:03:19 +0200
Hey there, I know there are a lot of guidelines on how to perform a decent web application pentest (like the owasp guide). However, most of these documents give recommendations regarding the things that need to be investigated and the tools to use at which stage in the process.
From a business point of view this seems a little bit unsatisfying,
since one has to use a scattering of different tools with different (maybe sometimes redundant) outputs for different security aspects (lfi-scanner, sqli-scanner, etc. pp.). This makes it rather annoying to model a high-performance business process, which is automated at least in the first step (i know it will take human interpretation of the results anyway and further investigation on the reported issues). So may actual question is: Are there any best practices or guidelines on the interaction of these tools? Are there recommendations regarding tool-chains? Do you guys have experiences regarding the process modeling of such a pentest? Thanks for your replies. Regards, A. Schaller ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- WebApp Pentest: Tool-Chain / Best Practice André Schaller (Aug 27)