[WEB SECURITY] Security Audit Software

Evans, Arian Arian.Evans at fishnetsecurity.com
Thu Jun 23 16:54:00 EDT 2005


Okay, I'll get this out of the way: I like scanners, I use scanners,
I work for a company that resells some scanners too. Your question
is one of huge interest to me; one many vendors answer incorrectly.

> I've got a corollary question:
> Does anyone have a good list of requirements that they use while 
> evaluating products in this space?

You know, I tell clients on a regular basis that they have living,
3D requirements right under their nose. They just haven't bothered
to document them yet.

You see, the requirements are documented in your code.

I do not believe anything short of human eyeballs reviewing applications
and defining unique requirements that are environment specific will
suffice. I just saved someone from wasting something on the order of
200-to-400k on web app firewalls that wouldn't have (and couldn't have)
done *anything* for their primary application security holes.

We have too many vendors and widget sellers out there right now
taking this "box with a barcode" approach to application security,
particularly webappsec. It doesn't work that way. (though I am
_not_ saying these tools do not have value)

So how do we define meaningful requirements?

As for technical requirements, those vary widely (wildly?) per
person/organization. We could probably make some high level list
of requirements (e.g.-I need a tool that can parse javascript and
C++) and then vague specificity (e.g.--tool needs to fill out a
web form or Win32 GUI text input box) but the bottom line is if
you don't have say XSS issues then who cares how good a tool is
at finding XSS or blocking XSS.

I try to position myself before people spend a dime on anything
to go out and look over their applications and environment and
build specifications unique to their environments.

I will frequently use a scanner or other forms of automation
while doing this, but that is one piece of the puzzle.

So I guess I should conclude my rant by saying what do you mean
by "requirements"? Do you want to evaluate which is "the best web
app firewall in the world at blocking XSS" or "what is the best
tool for solving my specific pains"?

If this isn't well written blame it on the meds. Also, tell me
and I'll take a stab at a clearer answer next week.


The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list