[WEB SECURITY] Security Audit Software

Bill Pennington bill at whitehatsec.com
Wed Jun 22 20:27:39 EDT 2005


One thing I will disagree with you on is the concept of low hanging  
fruit.

Scanners will find things that are easy to find AND things that are  
hard to find (or at least very time consuming to find). These hard  
things generally revolve around file system issues like finding some  
*.old file 10 directories deep. No on is really going to perform all  
those test by hand, some automation will be used.

Scanners will also miss a lot of things that are easy to find.  
Changing my order number from a 4 to a 5 is easy to do but scanners  
will not find that vulnerability, at least in any useful fashion.  
Scanners can flip bits all day long but unless they understand the  
context that bit is in then all the test it performs have limited (or  
no) value. For example I can write a scanner that auto-increments any  
number it finds in a URL, it will get a response but it has no way of  
knowing if the content it received is good or bad. I classic number  
flip attack is low hanging fruit but scanners won't find them.

I think we need to be careful when we say automation will get the low  
hanging fruit which implies that everything after that is "hard" to  
find. A lot of them are easy for people to find, just really hard for  
tools to find.

On Jun 22, 2005, at 2:10 PM, Will Jefferies wrote:

> Hi, I use Spi Dynamics' WebInspect and it is a very good app.   
> However, I believe that you must go beyond the automated pen test  
> to find everything no matter what package you use.  I have found  
> that the best method is to use the auto test to find the low  
> hanging fruit, and then do a by-hand analysis to find the deeper  
> issues.  Keep in mind that you will get some (sometimes a lot)  
> false pos/negs, so you will also need to verify the low hanging  
> fruit that was flagged/overlooked.  But all-in-all, WebInspect is  
> well worth the money.  If nothing else, it will enlighten you as to  
> how certain exploits are accomplished because it lists each attempt  
> in detail.  It also produces a nicely formatted report for less- 
> techie upper management.
>
> Will
>
> -----Original Message-----
> From: dpw [mailto:dainw at fsr.com]
> Sent: Wednesday, June 22, 2005 3:35 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Security Audit Software
>
> Howdy everyone,
>
> I need to research and hopefully purchase some software to help us  
> evaluate and test the web apps we develop. I realize that the  
> readers of this list are immeasurably more qualified to identify  
> the strengths / weaknesses of these kinds of software than I am,  
> and hope someone out there can give me some useful insight.
>
> SPI Dynamics is so far the only software on my radar for this  
> purpose, but does anyone else have recommendations for security  
> auditing software they trust? Alternatively - does anyone own / use  
> SPI Dynamics' software, and do you feel that it's worth a purchase?
>
> Thanks in advance,
> Dain White
> Senior Developer - Webmaster
> First Step Internet, L.L.C.
> www.fsr.com | www.fsr.net
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date:  
> 6/22/2005
>
>
> -- 
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date:  
> 6/22/2005
>
>
> Confidentiality Notice:  This message is for the sole use of the  
> intended recipient(s).  It may contain confidential or proprietary  
> information and may be subject to the attorney-client privilege or  
> other confidentiality protections.  If this message was  
> misdirected, neither FNC Holding Company, Inc. nor any of its  
> subsidiaries waive any confidentiality, privilege, or trade  
> secrets.  If you are not a designated recipient, you may not  
> review, print, copy, retransmit, disseminate, or otherwise use this  
> message.  If you have received this message in error, please notify  
> the sender by reply e-mail and delete this message. Thank you.
>
>
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>


---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list