[WEB SECURITY] Security Audit Software

Ory Segal osegal at watchfire.com
Thu Jun 23 02:00:19 EDT 2005


Hi,

I think that all those who wrote here that automated scanners are not as
thorough as manual audits are totally missing the point of automated
scanning.

Automated scanners were never meant to replace the manual audit process,
they are just helping to find cracks and possible problems in web
applications. Manual audit of a large web application is almost
impossible, and you are likely to miss many problems. Think about an
application with 100 (or even 1000) scripts, where each script accepts
several parameters, do you really think that you can test each parameter
in each script for SQL Injection, Cross Site Scripting, HTTP Response
Splitting,  etc? that would take months of work...

Automated scanners, might have some shortcomings, but if used correctly,
they will save you a lot of time and money.

IMO - if you want to perform a proper and thorough audit, you should use
an automated scanner as well as manual audit, in order to get full
coverage.

-Ory



-----Original Message-----
From: dpw [mailto:dainw at fsr.com] 
Sent: Wednesday, June 22, 2005 11:35 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Security Audit Software

Howdy everyone,

I need to research and hopefully purchase some software to help us
evaluate and test the web apps we develop. I realize that the readers of
this list are immeasurably more qualified to identify the strengths /
weaknesses of these kinds of software than I am, and hope someone out
there can give me some useful insight.

SPI Dynamics is so far the only software on my radar for this purpose,
but does anyone else have recommendations for security auditing software
they trust? Alternatively - does anyone own / use SPI Dynamics'
software, and do you feel that it's worth a purchase? 

Thanks in advance,
Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list