Secure Coding mailing list archives
Categories for application security testing & tools
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 03 Mar 2005 09:56:44 +0000
What: need for a Talisker or SANS-type tool-list resource for application security testing/analysis tools, and eventually (maybe) app-firewalls/IDS. This email: Propose categories for organizing application security tools. Proposal: Categorize by type of testing one would use the tool to perform. Detail: Plan to keep this on OWASP or my personal website. Please provide feedback on the distinctions below: if you think they make sense; if you'd prefer some other (e.g.-cost, color, extremeness, etc.). nota bene: this is X-posted to webappsec, secprog, and SC-L Categories: There are six common ways people use to assess an application for security vulnerabilities, five of which work: -Vulnerability Scanning (think Qualys, Retina) -Fault Injection/Blackboxing (think WebInspect, Scando, SPIKE, etc.) -Sandboxing for Fault Injection analysis (think Holodeck, monitoring file/reg/proc with Sysinternals tools, etc., combined with FI tools) -Binary Analysis (the mysteriously disappearing SmartRisk Analyzers, manual w/IDA Pro) -Static Source Code analysis (Ounce, Fortify, etc. etc. etc.) -Threat Modeling and Architectural Analysis (SecuriTree, MS TM, etc.) Problems: some tools cross boundaries like SecurityChecker are both Fault Injection and Static Source Analysis. Thanks, Arian Evans Sr. Security Engineer FishNet Security Phone: 816.421.6611 Toll Free: 888.732.9406 Fax: 816.421.6677 http://www.fishnetsecurity.com
Current thread:
- Categories for application security testing & tools Evans, Arian (Mar 03)