RE: Your help gratefully received

["Michael Howard" <mikehow () microsoft com>]

look at the threats to the system - then choose your tools...
 
as for tools, i tend to use perl scripts i wrote :-)

________________________________

From: Craig_Sullivan () Waitrose co uk [mailto:Craig_Sullivan () Waitrose co uk]
Sent: Thu 2/27/2003 9:37 AM
To: webappsec () securityfocus com
Subject: Your help gratefully received



Hi,

I'm conducting a web app sec review for someone and would like some advice.

I am assembling some tools that I need to use and also the areas that I am
going to concentrate upon during my assessment.

The objective here is to see how well I can do against an automated appsec
scanning product against a non commercial test server in the lab.

The questions I have are:

What tools do you recommend (for general and specific use e.g. proxies,
scanners, site dumping etc. etc.)
What areas should I concentrate on (e.g. state management, SSL, XSS, SQL
injection etc.)
What webapp security resources do you use and can recommend

Thanks very much in advance,

Regards,

Craig.






*********************************************************************

Notice:  This email is confidential and may contain
copyright material of the John Lewis Partnership.
If you are not the intended recipient, please
notify us immediately and delete all copies of this
message.  (Please note that it is your responsibility
to scan this message for viruses).


*********************************************************************

John Lewis plc                  Registered in England 233462
Registered office               171 Victoria Street London SW1E 5NN
     
Websites: http://www.johnlewis.com and http://www.waitrose.com