Security Basics mailing list archives
RE: Web apps code testing
From: "Yvan Boily" <yboily () seccuris com>
Date: Wed, 17 Mar 2004 17:56:00 -0600
There is no single tool that will grant you security. What you are looking for is a code audit, which can be performed internally or by another party. Ideally you would have other people come in to look at the application (i.e. experts), however if you feel confident in your development teams ability to secure the application then they can perform the audit themselves. A good way to check if you need outside security auditors is to ask your developers if they can explain the following to you: Cross Site Scripting & SQL injection attacks Session Hijacking Race conditions Access controls and Security models which have been implemented Role of encryption in the application (above and beyond SSL between the browser and the web server) If they cannot confidently offer an explanation of each of them, and measures that they have taken to prevent them, then I seriously doubt their capability to ensure that the application is secure. I would also expect them to have the following given that they are using Java, and resources related to this are easily identifiable: Risks of RMI and related technologies in web based applications. A report of how they dealt with issues such as those outlined in OWASP. Hardening recommendations for the host environment. Regards, Yvan Boily Information Security Analyst Seccuris -----Original Message----- From: Marty [mailto:groupecci () yahoo ca] Sent: Tuesday, March 16, 2004 6:51 PM To: Sec Basic Subject: Web apps code testing Hi, I have the complete code (Java) for a website our development team just completed. Is there a tool I can use to make sure the code is secure? Thanks! Marty __________________________________________________________ Lèche-vitrine ou lèche-écran ? magasinage.yahoo.ca --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Web apps code testing Marty (Mar 17)
- RE: Web apps code testing Yvan Boily (Mar 17)
- <Possible follow-ups>
- Web apps code testing Sistemas Aurensis-Sys Sec (Mar 18)
- RE: Web apps code testing Dean Saxe (Mar 19)
- RE: Web apps code testing Yvan Boily (Mar 22)