[WEB SECURITY] Security Audit Software

Chris Weber chris at lookout.net
Thu Jun 23 14:31:05 EDT 2005


Yep, scanners are great when they work to complement a thorough professional
testing effort. 

-----Original Message-----
From: Ory Segal [mailto:osegal at watchfire.com] 
Sent: Wednesday, June 22, 2005 11:00 PM
To: dainw at fsr.com; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Security Audit Software

Hi,

I think that all those who wrote here that automated scanners are not as
thorough as manual audits are totally missing the point of automated
scanning.

Automated scanners were never meant to replace the manual audit process,
they are just helping to find cracks and possible problems in web
applications. Manual audit of a large web application is almost impossible,
and you are likely to miss many problems. Think about an application with
100 (or even 1000) scripts, where each script accepts several parameters, do
you really think that you can test each parameter in each script for SQL
Injection, Cross Site Scripting, HTTP Response Splitting,  etc? that would
take months of work...

Automated scanners, might have some shortcomings, but if used correctly,
they will save you a lot of time and money.

IMO - if you want to perform a proper and thorough audit, you should use an
automated scanner as well as manual audit, in order to get full coverage.

-Ory



-----Original Message-----
From: dpw [mailto:dainw at fsr.com]
Sent: Wednesday, June 22, 2005 11:35 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Security Audit Software

Howdy everyone,

I need to research and hopefully purchase some software to help us evaluate
and test the web apps we develop. I realize that the readers of this list
are immeasurably more qualified to identify the strengths / weaknesses of
these kinds of software than I am, and hope someone out there can give me
some useful insight.

SPI Dynamics is so far the only software on my radar for this purpose, but
does anyone else have recommendations for security auditing software they
trust? Alternatively - does anyone own / use SPI Dynamics'
software, and do you feel that it's worth a purchase? 

Thanks in advance,
Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list