RE: testing web app security

["Weiler, Jim" <Jim.Weiler () Staples com>]

I've run WebInspect from SPIDynamics against a development version of a
public ecommerce web site with >1500 pages and another one with about 500
pages. It did a great job of finding and reporting vulnerabilities, letting
me configure it in terms of load and type of assessment. Very comprehensive
I think on the testing of various vulnerabilities, good technical folks to
work with.


-----Original Message-----
From: Michael Cunningham [mailto:crayola () optonline net] 
Sent: Friday, March 19, 2004 2:34 PM
To: webappsec () securityfocus com
Subject: testing web app security

Folks, 

I am going to have to take on the task of testing software 
applications my company produces as they roll through the 
QA/UAT process for security concerns (can't hire anyone and software 
to automate the testing seems to be very expensive). They are 
mainly web based applications with a database backend  
and some custom java and C programs. I am aware of how sql 
injection, buffer overflows, cross site scripting, and other 
security programming problems work, but I dont have a whole lot 
of experience applying this knowledge to application testing. 

Are there any training courses or documents/books you can 
suggest that would help me learn the skills I need to 
make this happen? Does anyone have a site that lists tools 
(open source preferred) That I could use to help me test these
applications? 

Thanks for any help you can offer, 
Mike