WebApp Sec mailing list archives
Re: Application Assessment
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Fri, 12 Aug 2005 17:05:25 +0200
On 11 Aug 2005 at 12:57, Jeremiah Grossman wrote:
Today we understand that its possible to make a test-case website where a scanner could find just about every class of vulnerability. Or, a website where a scanner be incapable identifying anything and yet still be riddle with security issues. THIS is the challenge of scanning real world websites. And what do we do about this to make the results meaningful? I would submit without directly involving those who live and breath auditing websites and designing scanners, the resulting value of the testing would be limited. And adoption as well.
While I generally prefer to take cover when the titans clash ;-) there's an angle here I'd like to shed light on: Unlike the car industry (I think), in the web application scanning/security world, it is possible (once a test suite/benchmark is known) to patch the scanner to work perfectly for a given benchmark, yet at the same time not significantly improving it. In the car industry, when you test a car for a head-on crash, side crash, and so forth, you pretty much cover the main areas of interest. A car that gets high scores in all the tests is probably going to be more secure on the road. Period. In the web application security world, where each application is slightly different, the fact that a scanner performed better in a given benchmark doesn't mean it'll perform better in the field, especially if it was patched to perform well for the given benchmark. So any such attempt should, in my mind, consider how to handle this issue. One such avenue is to create a benchmark of hundreds of applications. This would make it both more real-life (a scanner that performs well on all applications is more likely to perform well in real life, as it is likely that the real life application will bear resemblence to one of the apps in the benchmark), and harder to patch for...
Current thread:
- Re: Application Assessment Glyn Geoghegan (Aug 11)
- Re: Application Assessment bugtraq (Aug 11)
- <Possible follow-ups>
- RE: Application Assessment Ory Segal (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)
- Re: Application Assessment Pete Herzog (Aug 13)