WebApp Sec mailing list archives
Re: Recommendations for web app test?
From: <ban.marketing.bs () hushmail com>
Date: Sat, 23 Oct 2004 12:14:40 -0700
<Insert John Stewart Voice here> Hmm..let me think...oh yeah I got it, because they are useless...yeah thats it....because the best prob can find 10% of the holes in an average web site and even if that was acceptable it too late to find holes when the app is already built to be economical to fix it. Oh yeah you dont believe me, go fire em against WebGoat or Hackme Bank or an app you know has specific holes. Anything (tool) can find mud to sling, it wether you can find the actual holes that counts ! Jeez what is it with the security community that it thinks it can ignore the years of experience of development communities in fixing software and take a totally different approach. Oh yeah its cause thats what you have been doing for years with OS's....ding ding, bespoke software are not OS's.....they are all different. </Insert John Stewart Voice here> Moderator - My vote is to go back to banning posts about commerial software as it always turns into a stealthy marketing fest. I used to like this list because it was opinions. Now its more spin that substance. I am sure this guy is not the same Ceasar that works for AppSec Inc but sure would explain the favorite tool! Come on give the world some credit. End of Post You have another option, buy a web app scanning tool, why? becuase with it you can continuosly audity your web application just paying once. When you hire a company for an auditing after one week/month of the auditing, your web application will have changed (web applications are of dynamic nature) and probably it will have new vulnerabilities, so you will have to audit again and pay again and so on. The tool i like most is AppDetective for Web Applications(www.appsecinc.com) Or you can go for free tools but they are very limited. Cesar. --- Daniel <deeper () gmail com> wrote:
the first statement sounds like a brave one to make! ok ill break it down... what should i be looking for? Im gathering this is for the company performing the test? I'd say look
at a company with a decent track record in application security testing. There are a load of people who have jumped on the app testing
bandwagon recently, and i personally doubt they have enough knowledge
to perform an indepth test. The company needs to fully understand the application they are testing
and at the same time do an indepth audit of all components. what should the auditors be looking for? I'd hope they would be using my pentest checklist as a reference
(http://www.owasp.org/documentation/testing/application.html),
as they could always give you it as a reference to what they looked at during
the test. If they are good, they know exactly what to look for how will you know that they are testing for what you need them to test
for? You need to specify exactly what you want testing. If necessary, use the pentest checklist from above and say you want all area's covered what is a good price range? I can only speak for UK prices, but around the 1000 to 1500UKP range
per day is common. For your setup, i think 5 days is more than enough and should allow
the team testing it to funny understand the applications and find issues. As for security companies i'd recommend; (no this isnt a pro vendor
thing, its people i know who have the skillset and can do the job right) - Foundstone - @stake - Sensepost - Corsaire - NGS Software - ImmunitySec Daniel On Thu, 21 Oct 2004 05:40:16 +0000, App Crawler <appcrawler_8080 () hotmail com> wrote:Well, we've decided that everything in ourenvironment is pretty secure,except for our web applications. So, now we needto outsource the securityassessment of our web applications. So, myquestion is, what should I belooking for? What should the auditors be lookingfor? How will I know thatthey are testing for what I need them to test for?What is a good pricerange, based on one e-commerce application, oneemployee intranetapplication, and one customer portal application?Should it be based on thenumber of forms? Or some other metric? Pleaseadvise?!?! Thanks.
_________________________________________________________________
Get ready for school! Find articles, homework helpand more in the Back toSchool Guide!http://special.msn.com/network/04backtoschool.armx
__________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Current thread:
- Recommendations for web app test? App Crawler (Oct 21)
- Re: Recommendations for web app test? Daniel (Oct 21)
- Re: Recommendations for web app test? Cesar (Oct 22)
- Re: Recommendations for web app test? subscriber (Oct 24)
- Re: Recommendations for web app test? Stephen de Vries (Oct 22)
- <Possible follow-ups>
- Re: Recommendations for web app test? kingpang (Oct 22)
- Re: Recommendations for web app test? ban.marketing.bs (Oct 24)
- Re: Recommendations for web app test? Tom Stracener (Oct 28)
- Re: Recommendations for web app test? Daniel (Oct 21)