RE: Web Site Certification

["Adam Mikrut" <am () digitalstakeout com>]

MOST of these services do a solid network vulnerability scan (Nessus)
and fail miserably on web application scan quality. If you put a logo on
a web application and proclaim it is safe and trustworthy, you need to
ensure web application is actually tested correctly. A few Nessus web
nasl tests don't cut it...

Buyer beware:

If you go down the route of using a "certification" service, ask the
following questions. 

1) What application layer scanning technology is utilized? If it's built
"in-house", I would download a trial copy of a web application scanner
(SPI Dynamics or Watchfire my pref) and compare results.   
2) Do they test for all the components mentioned in the WASC?
http://www.webappsec.org/projects/threat/v1/WASC-TC-v1_0.txt
3) Do they customize the application scan policy for your web
application (all site parameters accounted for and verify crawl
quality)?

...Then make them prove it to you. 

Depending on the web application, automated testing takes you 50-75% of
the way. The quality of the policy and customized testing get you a
little bit further. However, it is very difficult task. I find it hard
to believe all this work would be done for just few hundred bucks a year
per web application. There are companies who do focused managed web
application scanning, a little more expensive but with a better end
result.

Regards, 

Adam Mikrut
CTO
DigitalStakeout, LLC
Web: www.digitalstakeout.com
Phone: 678-638-6281
Fax: 678-638-6283

Who's Watching The Watchers? DigitalStakeout! MSSP SLA Enforcement
Services

This email and any attached files are confidential and may be legally
privileged. They are meant for private use for the intended recipient(s)
only. It is strictly prohibited for anyone to copy, forward, or
distribute the enclosed content. If this message has been received in
error, please delete it along with any attached files immediately and
notify the sender by phone. 

-----Original Message-----
From: Nathaniel Hall [mailto:lists () nathanhall net] 
Sent: Thursday, April 27, 2006 9:24 AM
To: Marco Passarella
Cc: webappsec () securityfocus com
Subject: Re: Web Site Certification

Marco Passarella wrote:

> Hi all,
> what do you think about the remote services that promise your site to 
> be "hacker free"?
> Can you really monitor remotely the security of a site using a scanner?
> Here is an example:
> http://www.scanalert.com/
>  
It isn't that the site is necessarily "hacker free."  They have simply
guaranteed that the site is not vulnerable to the FBI/SANS top
vulnerabilities (www.sans.org/top20/).  They also meet various credit
card requirements (VISA CISP/PCI).  Click on the "Hacker Safe" logo to
see an explanation.

--
Nathaniel Hall, GSEC GCFW GCIA


------------------------------------------------------------------------
-
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------