[WEB SECURITY] Security Audit Software

Bill Pennington bill at whitehatsec.com
Thu Jun 23 00:01:53 EDT 2005


I think I might not have been clear in my last e-mail. It was not  
intended to be a "scanners" are bad e-mail. Heck I have been building  
a scanner for the last 4 years, I know they offer a lot of support to  
a person performing an assessment.

My issue was with the statement that scanners give you even a low  
level of coverage or that scanners will find the "easy" stuff. Take  
the WASC Attack classes or the OWASP Top Ten, scanners might find 1/2  
of those issues, and that is a big might. They might miss all of  
those issues that exist on your web site. Trusting that running a  
scanner alone will get the easy stuff is a fallacy that I think a lot  
of people buy into and it is setting them up for big security issues  
down the road.

I say you have to use a scanner and you have to perform manual  
testing. That is the only way you know you got at least all the easy  
stuff and hopefully you got all the hard stuff as well :-)

On Jun 22, 2005, at 8:41 PM, Chris Weber wrote:

> Yep you're right exactly.  It depends on the level of coverage your  
> after.
> If due diligence for you is running a professional grade scanner  
> that might
> or might not find everything, then fine, at list you did more than  
> nothing.
> But if you're very serious about the app's security, only a deep and
> thorough review that ensures quality code coverage will keep you  
> sleeping.
>
> I do this every day, and I use scanners sometimes to see what  
> they'll find,
> and sometimes they save me a few findings, which of course I manually
> verify.  However, my most recent findings would never be caught by a
> scanner, since they were related to arcane crypto weaknesses and in  
> some
> query string values.  And in another case a "sea-monkey" style DoS  
> attack
> against  some web-app logic.  And in another case, privilege  
> escalation
> against supposedly "hidden" values in a site that well, a scanner  
> just would
> not have found.  That said, I do use scanners sometimes to  
> complement the
> work and provide extra coverage, and I haven't used WebInspect in a  
> while or
> Sanctum.  I have used NTO recently though and I like it a lot for  
> its speed
> and some other features.  For those looking into session-strength,  
> it has a
> great analysis piece for that...
>
> Chris
>
> -----Original Message-----
> From: Bill Pennington [mailto:bill at whitehatsec.com]
> Sent: Wednesday, June 22, 2005 5:28 PM
> To: websecurity at webappsec.org
> Cc: dainw at fsr.com; Will Jefferies
> Subject: Re: [WEB SECURITY] Security Audit Software
>
> One thing I will disagree with you on is the concept of low hanging  
> fruit.
>
> Scanners will find things that are easy to find AND things that are  
> hard to
> find (or at least very time consuming to find). These hard things  
> generally
> revolve around file system issues like finding some *.old file 10
> directories deep. No on is really going to perform all those test  
> by hand,
> some automation will be used.
>
> Scanners will also miss a lot of things that are easy to find.
> Changing my order number from a 4 to a 5 is easy to do but scanners  
> will not
> find that vulnerability, at least in any useful fashion.
> Scanners can flip bits all day long but unless they understand the  
> context
> that bit is in then all the test it performs have limited (or
> no) value. For example I can write a scanner that auto-increments  
> any number
> it finds in a URL, it will get a response but it has no way of  
> knowing if
> the content it received is good or bad. I classic number flip  
> attack is low
> hanging fruit but scanners won't find them.
>
> I think we need to be careful when we say automation will get the low
> hanging fruit which implies that everything after that is "hard" to  
> find. A
> lot of them are easy for people to find, just really hard for tools  
> to find.
>
> On Jun 22, 2005, at 2:10 PM, Will Jefferies wrote:
>
>
>> Hi, I use Spi Dynamics' WebInspect and it is a very good app.
>> However, I believe that you must go beyond the automated pen test to
>> find everything no matter what package you use.  I have found that  
>> the
>> best method is to use the auto test to find the low hanging fruit,  
>> and
>> then do a by-hand analysis to find the deeper issues.  Keep in mind
>> that you will get some (sometimes a lot) false pos/negs, so you will
>> also need to verify the low hanging fruit that was flagged/ 
>> overlooked.
>> But all-in-all, WebInspect is well worth the money.  If nothing else,
>> it will enlighten you as to how certain exploits are accomplished
>> because it lists each attempt in detail.  It also produces a nicely
>> formatted report for less- techie upper management.
>>
>> Will
>>
>> -----Original Message-----
>> From: dpw [mailto:dainw at fsr.com]
>> Sent: Wednesday, June 22, 2005 3:35 PM
>> To: websecurity at webappsec.org
>> Subject: [WEB SECURITY] Security Audit Software
>>
>> Howdy everyone,
>>
>> I need to research and hopefully purchase some software to help us
>> evaluate and test the web apps we develop. I realize that the readers
>> of this list are immeasurably more qualified to identify the  
>> strengths
>> / weaknesses of these kinds of software than I am, and hope someone
>> out there can give me some useful insight.
>>
>> SPI Dynamics is so far the only software on my radar for this  
>> purpose,
>> but does anyone else have recommendations for security auditing
>> software they trust? Alternatively - does anyone own / use SPI
>> Dynamics' software, and do you feel that it's worth a purchase?
>>
>> Thanks in advance,
>> Dain White
>> Senior Developer - Webmaster
>> First Step Internet, L.L.C.
>> www.fsr.com | www.fsr.net
>>
>>
>> ---------------------------------------------------------------------
>> The Web Security Mailing List
>> http://www.webappsec.org/lists/websecurity/
>>
>> The Web Security Mailing List Archives
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date:
>> 6/22/2005
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date:
>> 6/22/2005
>>
>>
>> Confidentiality Notice:  This message is for the sole use of the
>> intended recipient(s).  It may contain confidential or proprietary
>> information and may be subject to the attorney-client privilege or
>> other confidentiality protections.  If this message was misdirected,
>> neither FNC Holding Company, Inc. nor any of its subsidiaries waive
>> any confidentiality, privilege, or trade secrets.  If you are not a
>> designated recipient, you may not review, print, copy, retransmit,
>> disseminate, or otherwise use this message.  If you have received  
>> this
>> message in error, please notify the sender by reply e-mail and delete
>> this message. Thank you.
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> The Web Security Mailing List
>> http://www.webappsec.org/lists/websecurity/
>>
>> The Web Security Mailing List Archives
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>>
>>
>
>
> ---
> Bill Pennington, CISSP, CCNA
> VP Services
> WhiteHat Security Inc.
> http://www.whitehatsec.com
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>


---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list