WebApp Sec mailing list archives
Re: Open Source Application Vulnerability Assessment Tools
From: Stephen de Vries <stephen () corsaire com>
Date: Thu, 28 Sep 2006 15:05:09 +0700
Hi Allen, On 28 Sep 2006, at 02:40, Brokken, Allen P. wrote:
On this list we talk a lot about various vendor provided tools quite abit. In general it appears most solutions are Windows-centric in theirinstallation even if they work against multiple platforms. With the prevalence of LAMP systems I would figure there must be some means of doing a security assessment on their applications with native tools. It seems odd to me that there isn't a NESSUS equivalent for application testing. I'm wondering what is available from the Open Source community in the way of * Black Box web assessment software
- Paros (www.parosproxy.org) - Java based, does automated spidering and scanning - WebScarab (www.owasp.org) - Java based, more manual approach, very flexible and includes a beanshell console
- Burp (http://www.portswigger.net/proxy/) - Odysseus proxy http://www.wastelands.gen.nz/odysseus/index.php - Spike proxy http://www.immunitysec.com/resources-freesoftware.shtml - and many more
* Source code assessment software
- LAPSE Source code analysis, for scanning Java applications (http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project)- Findbugs, Checkstyle, PMD (you can google them), all source code analysis tools for finding common Java software bugs, have some elementary security tests but are fully customisable so you can easily write your own signatures.
regards, -- Stephen de Vries Corsaire Ltd E-mail: stephen () corsaire com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com ------------------------------------------------------------------------- Sponsored by: WatchfireIt's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Albert (Aug 25)
- Open Source Application Vulnerability Assessment Tools Brokken, Allen P. (Sep 27)
- Re: Open Source Application Vulnerability Assessment Tools Stephen de Vries (Sep 28)
- Open Source Application Vulnerability Assessment Tools Brokken, Allen P. (Sep 27)