[WEB SECURITY] Security Audit Software

Chris Weber chris at lookout.net
Wed Jun 22 23:41:37 EDT 2005


Yep you're right exactly.  It depends on the level of coverage your after.
If due diligence for you is running a professional grade scanner that might
or might not find everything, then fine, at list you did more than nothing.
But if you're very serious about the app's security, only a deep and
thorough review that ensures quality code coverage will keep you sleeping.

I do this every day, and I use scanners sometimes to see what they'll find,
and sometimes they save me a few findings, which of course I manually
verify.  However, my most recent findings would never be caught by a
scanner, since they were related to arcane crypto weaknesses and in some
query string values.  And in another case a "sea-monkey" style DoS attack
against  some web-app logic.  And in another case, privilege escalation
against supposedly "hidden" values in a site that well, a scanner just would
not have found.  That said, I do use scanners sometimes to complement the
work and provide extra coverage, and I haven't used WebInspect in a while or
Sanctum.  I have used NTO recently though and I like it a lot for its speed
and some other features.  For those looking into session-strength, it has a
great analysis piece for that...

Chris

-----Original Message-----
From: Bill Pennington [mailto:bill at whitehatsec.com] 
Sent: Wednesday, June 22, 2005 5:28 PM
To: websecurity at webappsec.org
Cc: dainw at fsr.com; Will Jefferies
Subject: Re: [WEB SECURITY] Security Audit Software

One thing I will disagree with you on is the concept of low hanging fruit.

Scanners will find things that are easy to find AND things that are hard to
find (or at least very time consuming to find). These hard things generally
revolve around file system issues like finding some *.old file 10
directories deep. No on is really going to perform all those test by hand,
some automation will be used.

Scanners will also miss a lot of things that are easy to find.  
Changing my order number from a 4 to a 5 is easy to do but scanners will not
find that vulnerability, at least in any useful fashion.  
Scanners can flip bits all day long but unless they understand the context
that bit is in then all the test it performs have limited (or
no) value. For example I can write a scanner that auto-increments any number
it finds in a URL, it will get a response but it has no way of knowing if
the content it received is good or bad. I classic number flip attack is low
hanging fruit but scanners won't find them.

I think we need to be careful when we say automation will get the low
hanging fruit which implies that everything after that is "hard" to find. A
lot of them are easy for people to find, just really hard for tools to find.

On Jun 22, 2005, at 2:10 PM, Will Jefferies wrote:

> Hi, I use Spi Dynamics' WebInspect and it is a very good app.   
> However, I believe that you must go beyond the automated pen test to 
> find everything no matter what package you use.  I have found that the 
> best method is to use the auto test to find the low hanging fruit, and 
> then do a by-hand analysis to find the deeper issues.  Keep in mind 
> that you will get some (sometimes a lot) false pos/negs, so you will 
> also need to verify the low hanging fruit that was flagged/overlooked.  
> But all-in-all, WebInspect is well worth the money.  If nothing else, 
> it will enlighten you as to how certain exploits are accomplished 
> because it lists each attempt in detail.  It also produces a nicely 
> formatted report for less- techie upper management.
>
> Will
>
> -----Original Message-----
> From: dpw [mailto:dainw at fsr.com]
> Sent: Wednesday, June 22, 2005 3:35 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Security Audit Software
>
> Howdy everyone,
>
> I need to research and hopefully purchase some software to help us 
> evaluate and test the web apps we develop. I realize that the readers 
> of this list are immeasurably more qualified to identify the strengths 
> / weaknesses of these kinds of software than I am, and hope someone 
> out there can give me some useful insight.
>
> SPI Dynamics is so far the only software on my radar for this purpose, 
> but does anyone else have recommendations for security auditing 
> software they trust? Alternatively - does anyone own / use SPI 
> Dynamics' software, and do you feel that it's worth a purchase?
>
> Thanks in advance,
> Dain White
> Senior Developer - Webmaster
> First Step Internet, L.L.C.
> www.fsr.com | www.fsr.net
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives 
> http://www.webappsec.org/lists/websecurity/archive/
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date:  
> 6/22/2005
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date:  
> 6/22/2005
>
>
> Confidentiality Notice:  This message is for the sole use of the 
> intended recipient(s).  It may contain confidential or proprietary 
> information and may be subject to the attorney-client privilege or 
> other confidentiality protections.  If this message was misdirected, 
> neither FNC Holding Company, Inc. nor any of its subsidiaries waive 
> any confidentiality, privilege, or trade secrets.  If you are not a 
> designated recipient, you may not review, print, copy, retransmit, 
> disseminate, or otherwise use this message.  If you have received this 
> message in error, please notify the sender by reply e-mail and delete 
> this message. Thank you.
>
>
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives 
> http://www.webappsec.org/lists/websecurity/archive/
>
>


---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list