WebApp Sec mailing list archives
RE: Spi's products worth a try? Or any suggestions for developers' tool?
From: "Thomas Brennan" <tbrennan () datasafeservices com>
Date: Sun, 6 Nov 2005 20:11:48 -0500
Aman, I take it your on the "team" that is over worked -- I feel your pain ;) Just a couple of thoughts to help your question in a more comprehensive way then a simple product yea/nay plug. 1a. - print out a copy of the OWASP 2.1 Guide to Building Secure Web Applications http://www.owasp.org/documentation/guide/guide_downloads.html and distribute to your developers for a reading/reference to increase the digital awareness of the individual coder. 1b. hold a internal class/webex/seminar/pizza party what ever... to speak to the areas of development that effect your base of applications. This will mean the testers and the coders in the same room sharing information and working together. It is very helpful to outline the development lifecycle and the testing lifecycle so both sides get a understanding of the common goal and then have each group align under a common QA/Reporting method such as DREAD. 2. - to reduce the "testing team time" we totally agree that the development groups should perform QA testing treating security flaws in applications as "bugs". We have seen tools (full disclosure we have some of the following tools in our toolbox) to provide a good 30-60%+ of catching coding flaws. I would recommend: SPI, NTO Spider, CENZIC, AppDetective etc.... Some are better than others hence the open commercial market, some cost more, some do more etc... and of course don't forget about good old Nikto. (Get goggling to find more information on those apps.) But a combination of tool scanning, code review and a human's digital knowledge in appsec testing is the defense-in-depth approach to finding more vulnerabilities and using spending less in countermeasures. Arian Evans recently did a funny presentation of tools that you could review at: http://www.owasp.org/docroot/owasp/misc/OWASP_DC_2005_Presentations/Trac k_2-Day1/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt Worth checking out -- Arians a solid guy - he did a good baseline but in the end your going to need to talk to the vendors individually, get a lab set up and perform a evaluation of the products yourself and test apples to apples with current versions. Your evaluation and test results could be a nice non-vendor written whitepaper for the community <hint hint> P.S. - Good luck with your new Treo 650 <doh> yes we all read other mailing lists as well - pssh - The EVDO, Samsung i730 a better value and with bluetooth dialup your never with without a secure connection but that' another list topic -reply ;) Hope this puts things into a better perspective? Thomas Brennan DATA SAFE SERVICES "Because Security is NOT the default" Tel: 973-795-1046 | Fax: 973-428-0293 Web: www.datasafeservices.com -----Original Message----- From: Aman Raheja [mailto:araheja () techquotes com] Sent: Friday, November 04, 2005 12:40 PM To: webappsec () securityfocus com Subject: Spi's products worth a try? Or any suggestions for developers' tool? Hello Anyone has any experiance with Spi's tools for web application vulnerability scanning? http://www.spidynamics.com/products/index.html I need to suggest developers' tool so that they can self assess their application and reduce the overhead of the testing team. Any advice? Thanks in advance. Regards Aman Raheja http://www.techquotes.com
Current thread:
- Spi's products worth a try? Or any suggestions for developers' tool? Aman Raheja (Nov 04)
- Re: Spi's products worth a try? Or any suggestions for developers' tool? Darren Bounds (Nov 06)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Thomas Ryan (Nov 06)
- Re: Spi's products worth a try? Or any suggestions for developers' tool? Eoin Keary (Nov 07)
- <Possible follow-ups>
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Ory Segal (Nov 05)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Ory Segal (Nov 05)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Phil Pavay (Nov 05)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Thomas Brennan (Nov 06)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Brokken, Allen P. (Nov 07)