Re: bugs are bad.

[John Lampe <jwlampe () nessus org>]

Matthew Franz wrote:


> The other I'd like to see in commercial products is mining information
> from server configuration and feeding that into a scanner. For example
> on J2EE apps  you've got a wealth of info sprinkled across dozens of
> XML config files. Struts-based apps also have juicy stuff about forms,
> variables, types, and validation mechanisms that could drive specific
> tests, much of it which will be in the .war
>
> I assume there is comparable stuff on the Microsoft platform...

There is comparable stuff on MS platforms.  Parsing the source code, 
.config files, the registry (if they are doing it right), DISCO, UDDI, 
etc. etc. yields interesting stuff.  And, there are tools which automate 
  some of the local code auditing (FxCop, SSW Code auditor, etc.)...

It would seem that a better methodology for app pen-testing would be to 
do the code audit and pen-test in conjunction.  The code audit gives you 
the attack vectors that *should* work, and the pen-test becomes nothing 
more than a validation for the code audit.

Lots of pen-testers won't like this as it requires skill in actually 
reading code...That's why you hear them say stuff like "We need to 
emulate the actual Hacker attack" and similar rubbish.  Why use a 
black-box approach when you can read and analyze the application?  Isn't 
that just common sense?

-- 
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe@{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com

Is your network TENABLE?
---------------------------------------
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave