[WEB SECURITY] Security Audit Software

Irene Abezgauz irene.abezgauz at gmail.com
Thu Jun 23 09:25:01 EDT 2005


I completely agree with Ory on this one.
Scanners are better than humans when it comes to finding nasty technical
flaws like default directories, various common file leftovers, comments
in the code that are sometimes overlooked by humans, some of them are
even pretty good at finding SQL injections, XSS vulnerabilities and
similar things.
A scanner cannot replace a good penetration tester, but a good tester
also knows when to resort to the use of an automatic tool as an aid.
Just like you don't do manual port scanning on all the ports. sometimes
scanners are better than human testing. But only when it comes to
technical flaws. Scanners are quite useless when it comes to logical
vulnerabilities.
 
However, there's one important issue being overlooked in this entire
conversation - a scanner is better than nothing.
If the decision is between no penetration testing, or an unprofessional
one - it's better to use a scanner, if it's a good one.
 
Irene
 
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Email: irene at hacktics.com
Web: www.hacktics.com
 
 
-----Original Message-----
From: Ory Segal [mailto:osegal at watchfire.com] 
Sent: Thursday, June 23, 2005 8:00 AM
To: dainw at fsr.com; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Security Audit Software
 
Hi,
 
I think that all those who wrote here that automated scanners are not as
thorough as manual audits are totally missing the point of automated
scanning.
 
Automated scanners were never meant to replace the manual audit process,
they are just helping to find cracks and possible problems in web
applications. Manual audit of a large web application is almost
impossible, and you are likely to miss many problems. Think about an
application with 100 (or even 1000) scripts, where each script accepts
several parameters, do you really think that you can test each parameter
in each script for SQL Injection, Cross Site Scripting, HTTP Response
Splitting,  etc? that would take months of work...
 
Automated scanners, might have some shortcomings, but if used correctly,
they will save you a lot of time and money.
 
IMO - if you want to perform a proper and thorough audit, you should use
an automated scanner as well as manual audit, in order to get full
coverage.
 
-Ory
 
 
 
-----Original Message-----
From: dpw [mailto:dainw at fsr.com] 
Sent: Wednesday, June 22, 2005 11:35 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Security Audit Software
 
Howdy everyone,
 
I need to research and hopefully purchase some software to help us
evaluate and test the web apps we develop. I realize that the readers of
this list are immeasurably more qualified to identify the strengths /
weaknesses of these kinds of software than I am, and hope someone out
there can give me some useful insight.
 
SPI Dynamics is so far the only software on my radar for this purpose,
but does anyone else have recommendations for security auditing software
they trust? Alternatively - does anyone own / use SPI Dynamics'
software, and do you feel that it's worth a purchase? 
 
Thanks in advance,
Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net
 
 
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
 
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
 
 
 
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
 
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050623/10424aa6/attachment.html>


More information about the websecurity mailing list