[WEB SECURITY] Security Audit Software

Will Jefferies wjefferies at fncinc.com
Wed Jun 22 17:10:46 EDT 2005


Hi, I use Spi Dynamics' WebInspect and it is a very good app.  However, I believe that you must go beyond the automated pen test to find everything no matter what package you use.  I have found that the best method is to use the auto test to find the low hanging fruit, and then do a by-hand analysis to find the deeper issues.  Keep in mind that you will get some (sometimes a lot) false pos/negs, so you will also need to verify the low hanging fruit that was flagged/overlooked.  But all-in-all, WebInspect is well worth the money.  If nothing else, it will enlighten you as to how certain exploits are accomplished because it lists each attempt in detail.  It also produces a nicely formatted report for less-techie upper management.

Will

-----Original Message-----
From: dpw [mailto:dainw at fsr.com] 
Sent: Wednesday, June 22, 2005 3:35 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Security Audit Software

Howdy everyone,

I need to research and hopefully purchase some software to help us evaluate and test the web apps we develop. I realize that the readers of this list are immeasurably more qualified to identify the strengths / weaknesses of these kinds of software than I am, and hope someone out there can give me some useful insight.

SPI Dynamics is so far the only software on my radar for this purpose, but does anyone else have recommendations for security auditing software they trust? Alternatively - does anyone own / use SPI Dynamics' software, and do you feel that it's worth a purchase? 

Thanks in advance,
Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 6/22/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 6/22/2005
 

Confidentiality Notice:  This message is for the sole use of the intended recipient(s).  It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections.  If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets.  If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message.  If you have received this message in error, please notify the sender by reply e-mail and delete this message. Thank you.




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list