Re: Manday for Web Pentest

["Andre Gironda" <andreg () gmail com>]

On Tue, Jun 3, 2008 at 4:55 AM, Pete Herzog <lists () isecom org> wrote:
Pete,
> Anyone interested in working with us to create a tool that will do the SCARE
> method for use on web apps, let me know.  I think it would make for an
> interesting crawler that gives the attack surface as a result.

First of all, you should question
1) How much coverage is necessary
2) How to appropriately address coverage issues
3) Other scoping issues
My suggestion is to use FireEye: http://csrc.nist.gov/groups/SNS/acts/download/

Also - can I nominate people for your webapp SCARE crawler project?
1st choice: Alexander Sotirov i.e. http://recon.cx/2008/speakers.html#xss
2nd choice: Andrew Petukhov and Dmitry Kozlov i.e.
http://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf
3rd choice: Matias Madou i.e.
http://www.owasp.org/images/d/d3/AppSecEU08_Dynamic_Taint_Propagation_OWASP.ppt

Another question to add into the mix here (for web applications).  How
do you determine whether you want to do a code review (and to what
degree of automation) or automated black-box scan (and to what degree
of this should be manual)?  Let's say 3 MLOC or 300 websites.  Which
method is faster?  Which tools even scale to meet these requirements?

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------