Categories for application security testing & tools

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

What: need for a Talisker or SANS-type tool-list resource for application
security testing/analysis tools, and eventually (maybe) app-firewalls/IDS.

This email: Propose categories for organizing application security tools.

Proposal: Categorize by type of testing one would use the tool to perform.

Detail: Plan to keep this on OWASP or my personal website.

Please provide feedback on the distinctions below: if you think they make
sense; if you'd prefer some other (e.g.-cost, color, extremeness, etc.).

nota bene: this is X-posted to webappsec, secprog, and SC-L

Categories:

There are six common ways people use to assess an application for
security vulnerabilities, five of which work:

-Vulnerability Scanning (think Qualys, Retina)
 
-Fault Injection/Blackboxing (think WebInspect, Scando, SPIKE, etc.) 

-Sandboxing for Fault Injection analysis (think Holodeck, monitoring file/reg/proc with Sysinternals
tools, etc., combined with FI tools) 

-Binary Analysis (the mysteriously disappearing SmartRisk Analyzers, manual w/IDA Pro) 

-Static Source Code analysis (Ounce, Fortify, etc. etc. etc.) 

-Threat Modeling and Architectural Analysis  (SecuriTree, MS TM, etc.)


Problems: some tools cross boundaries like SecurityChecker are both
Fault Injection and Static Source Analysis.


Thanks,
 
Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com