WebApp Sec mailing list archives

RE: What are we trying to "Benchmark" anyway? Report color, length, number of red exclamation points....

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 7 Oct 2005 15:04:54 -0500

Hola Senior Eoin of the small words,

-----Original Message-----
From: Eoin Keary [mailto:eoinkeary () gmail com] 
Sent: Thursday, October 06, 2005 3:48 AM


[...]

We can evaluate which tools produced the most false positives and even
worse False negatives (biggest problem IMHO).
What we got was a comparison between the two tools and also a
comparison between the tools and a human.


Who says your human "control" knows what they are doing?
(rhetorically speaking, not being rude)

Without the third control (manual test) how do we know if the results
are accurate for either tools?


This provides an unknown quality of control for testing. Humans are
fallible, non-omniscient, poor at repetitive tasks, and have tired eyes.

In general tools are for "the easy stuff" they do not understand
workflow or the logic of the app. They can not handle dynamic URL's:
One app i tested recently with a number of tools got no results at all
but after testing manually it had many XSS issues. These were
exploited only by understanding the workflow.


I see this all the time. We probably all do. WebInspect, in your
example, is fairly good at doing the stuff I'm not, like checking
for every file with different extension types.

e.g.--global.asa.old or .bak in directories I wouldn't have thought
to check or didn't have the time to make the 10,000 GET requests.

Connection strings can potentially be just as or more valuable than
a limited/reflected XSS in an authenticated part of a web interface.

I don't have any "big words" to explain this carry-on but blame the
marketing staff who know much about very little and very little about


Yep. Sales and marketing. And the CISSP nonsense.

We need science. Scientific analysis of what the issues are, and
what it is we are testing for. I am hoping the NIST SAMATE project
puts us on this path.

I would love to tackle this issue myself, but it's beyond the limited
hours that I have free in life.

-ae

Current thread:

What are we trying to "Benchmark" anyway? Report color, length, number of red exclamation points.... Evans, Arian (Oct 05)
- Re: What are we trying to "Benchmark" anyway? Report color, length, number of red exclamation points.... Eoin Keary (Oct 06)
- <Possible follow-ups>
- RE: What are we trying to "Benchmark" anyway? Report color, length, number of red exclamation points.... Evans, Arian (Oct 07)