WebApp Sec mailing list archives
Re: Web Site Certification
From: "Adam Tuliper" <amt () gecko-software com>
Date: Fri, 28 Apr 2006 10:48:44 -0400
As the other Adam says (as I dont usually talk about myself in third person), truly buyer beware, as they can be anything from comprehensive or even cover the basics.One online store had the "Hacker Safe" logo, so out of curiosity from a 'high level', I entered '--' in the search box and received back the error info showing sql injection was indeed possible. So I alerted the company and never heard a word back. Problem still exists. So it seems some places have this 'certification' just for pure pr purposes and don't really care much about their security.
----- Original Message ----- From: "Adam Mikrut" <am () digitalstakeout com>
To: <lists () nathanhall net>; "Marco Passarella" <mark.keon () gmail com> Cc: <webappsec () securityfocus com> Sent: Thursday, April 27, 2006 2:01 PM Subject: RE: Web Site Certification MOST of these services do a solid network vulnerability scan (Nessus) and fail miserably on web application scan quality. If you put a logo on a web application and proclaim it is safe and trustworthy, you need to ensure web application is actually tested correctly. A few Nessus web nasl tests don't cut it... Buyer beware: If you go down the route of using a "certification" service, ask the following questions. 1) What application layer scanning technology is utilized? If it's built "in-house", I would download a trial copy of a web application scanner (SPI Dynamics or Watchfire my pref) and compare results. 2) Do they test for all the components mentioned in the WASC? http://www.webappsec.org/projects/threat/v1/WASC-TC-v1_0.txt 3) Do they customize the application scan policy for your web application (all site parameters accounted for and verify crawl quality)? ...Then make them prove it to you. Depending on the web application, automated testing takes you 50-75% of the way. The quality of the policy and customized testing get you a little bit further. However, it is very difficult task. I find it hard to believe all this work would be done for just few hundred bucks a year per web application. There are companies who do focused managed web application scanning, a little more expensive but with a better end result. Regards, Adam Mikrut CTO DigitalStakeout, LLC Web: www.digitalstakeout.com Phone: 678-638-6281 Fax: 678-638-6283 Who's Watching The Watchers? DigitalStakeout! MSSP SLA Enforcement Services This email and any attached files are confidential and may be legally privileged. They are meant for private use for the intended recipient(s) only. It is strictly prohibited for anyone to copy, forward, or distribute the enclosed content. If this message has been received in error, please delete it along with any attached files immediately and notify the sender by phone. -----Original Message----- From: Nathaniel Hall [mailto:lists () nathanhall net] Sent: Thursday, April 27, 2006 9:24 AM To: Marco Passarella Cc: webappsec () securityfocus com Subject: Re: Web Site Certification Marco Passarella wrote:
Hi all, what do you think about the remote services that promise your site to be "hacker free"? Can you really monitor remotely the security of a site using a scanner? Here is an example: http://www.scanalert.com/
It isn't that the site is necessarily "hacker free." They have simply guaranteed that the site is not vulnerable to the FBI/SANS top vulnerabilities (www.sans.org/top20/). They also meet various credit card requirements (VISA CISP/PCI). Click on the "Hacker Safe" logo to see an explanation. -- Nathaniel Hall, GSEC GCFW GCIA ------------------------------------------------------------------------ - Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- Web Site Certification Marco Passarella (Apr 27)
- Re: Web Site Certification Dean H. Saxe (Apr 27)
- Re: Web Site Certification Nathaniel Hall (Apr 27)
- <Possible follow-ups>
- RE: Web Site Certification Craig Wright (Apr 27)
- RE: Web Site Certification Craig Wright (Apr 27)
- RE: Web Site Certification Adam Mikrut (Apr 27)
- Re: Web Site Certification Adam Tuliper (Apr 28)
- Re: Web Site Certification Admin Dbtech (Apr 27)
- Re: Web Site Certification ROB DIXON (Apr 27)
- RE: Web Site Certification ROB DIXON (May 01)