WebApp Sec mailing list archives
Re: Your help gratefully received
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Thu, 27 Feb 2003 15:16:35 -0500
I strongly recommend a look at the OWASP top ten paper as a start towards a list of areas to examine. Also check the very last section of the paper for a list of a few areas that are important but didn't make the top ten. The problem you'll have is that you won't be able to find all of the top ten with automated methods. I am a strong advocate of actually reading the code. No amount of bombardment from the outside is going to uncover design flaws, logic flaws, and a huge variety of other web application flaws. If you want to find the biggest holes in the least amount of time, my experience is that code review in combination with scanning and penetration testing is the way to go. This provides the most information to the analyst and will allow them to find problems quickly. Security code reviews do not have to be painful expensive efforts. When done properly, they are no more expensive than external testing, yet far more comprehensive. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: Craig_Sullivan () Waitrose co uk To: webappsec () securityfocus com Sent: Thursday, February 27, 2003 12:37 PM Subject: Your help gratefully received Hi, I'm conducting a web app sec review for someone and would like some advice. I am assembling some tools that I need to use and also the areas that I am going to concentrate upon during my assessment. The objective here is to see how well I can do against an automated appsec scanning product against a non commercial test server in the lab. The questions I have are: What tools do you recommend (for general and specific use e.g. proxies, scanners, site dumping etc. etc.) What areas should I concentrate on (e.g. state management, SSL, XSS, SQL injection etc.) What webapp security resources do you use and can recommend Thanks very much in advance, Regards, Craig. ********************************************************************* Notice: This email is confidential and may contain copyright material of the John Lewis Partnership. If you are not the intended recipient, please notify us immediately and delete all copies of this message. (Please note that it is your responsibility to scan this message for viruses). ********************************************************************* John Lewis plc Registered in England 233462 Registered office 171 Victoria Street London SW1E 5NN Websites: http://www.johnlewis.com and http://www.waitrose.com
Current thread:
- Your help gratefully received Craig_Sullivan (Feb 27)
- Re: Your help gratefully received Jeff Williams @ Aspect (Feb 27)
- <Possible follow-ups>
- RE: Your help gratefully received Michael Howard (Feb 27)