WebApp Sec mailing list archives

Re: Your help gratefully received

From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Thu, 27 Feb 2003 15:16:35 -0500

I strongly recommend a look at the OWASP top ten paper as a start towards
a list of areas to examine. Also check the very last section of the paper
for a list of a few areas that are important but didn't make the top ten.

The problem you'll have is that you won't be able to find all of the top
ten with automated methods.  I am a strong advocate of actually reading
the code.  No amount of bombardment from the outside is going to uncover
design flaws, logic flaws, and a huge variety of other web application
flaws.

If you want to find the biggest holes in the least amount of time, my
experience is that code review in combination with scanning and
penetration testing is the way to go.  This provides the most information
to the analyst and will allow them to find problems quickly.

Security code reviews do not have to be painful expensive efforts.  When
done properly, they are no more expensive than external testing, yet far
more comprehensive.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com



----- Original Message -----
From: Craig_Sullivan () Waitrose co uk
To: webappsec () securityfocus com
Sent: Thursday, February 27, 2003 12:37 PM
Subject: Your help gratefully received


Hi,

I'm conducting a web app sec review for someone and would like some
advice.

I am assembling some tools that I need to use and also the areas that I am
going to concentrate upon during my assessment.

The objective here is to see how well I can do against an automated appsec
scanning product against a non commercial test server in the lab.

The questions I have are:

What tools do you recommend (for general and specific use e.g. proxies,
scanners, site dumping etc. etc.)
What areas should I concentrate on (e.g. state management, SSL, XSS, SQL
injection etc.)
What webapp security resources do you use and can recommend

Thanks very much in advance,

Regards,

Craig.






*********************************************************************

Notice:  This email is confidential and may contain
copyright material of the John Lewis Partnership.
If you are not the intended recipient, please
notify us immediately and delete all copies of this
message.  (Please note that it is your responsibility
to scan this message for viruses).


*********************************************************************

John Lewis plc Registered in England 233462
Registered office 171 Victoria Street London SW1E 5NN

Websites: http://www.johnlewis.com and http://www.waitrose.com

Current thread:

Your help gratefully received Craig_Sullivan (Feb 27)
- Re: Your help gratefully received Jeff Williams @ Aspect (Feb 27)
- <Possible follow-ups>
- RE: Your help gratefully received Michael Howard (Feb 27)