[WEB SECURITY] Security Audit Software

Arin Komins akomins at uchicago.edu
Fri Jun 24 08:41:15 EDT 2005


On Thu, 23 Jun 2005, Evans, Arian wrote:

:Subject: RE: [WEB SECURITY] Security Audit Software
:
:Anrin,

s/Anrin/Arin/ ;-)

:You know, I tell clients on a regular basis that they have living,
:3D requirements right under their nose. They just haven't bothered
:to document them yet.
:
:You see, the requirements are documented in your code.
:
:I do not believe anything short of human eyeballs reviewing applications
:and defining unique requirements that are environment specific will
:suffice. I just saved someone from wasting something on the order of
:200-to-400k on web app firewalls that wouldn't have (and couldn't have)
:done *anything* for their primary application security holes.

I'm not arguing against manual review.  Like most everyone else on this 
list, I recognize that manual review will catch more items, and be more 
thorough than running through a product.

However, the products do save a certain amount of time.  ...and like any 
product to be purchased, it helps to have a requirements list, so you have 
objective criteria to judge products.

(..and in this case, I'm not looking at WAFs.  Just scanning products.

:As for technical requirements, those vary widely (wildly?) per
:person/organization. We could probably make some high level list
:of requirements (e.g.-I need a tool that can parse javascript and
:C++) and then vague specificity (e.g.--tool needs to fill out a
:web form or Win32 GUI text input box) but the bottom line is if
:you don't have say XSS issues then who cares how good a tool is
:at finding XSS or blocking XSS.

Well, I've got a wide-ranging goal of "should look for as many potential 
issues as possible, with as broad a depth in each area as possible."  
How's that for unrealistic :-) 

However, there are certain common requirements that folks may have (types 
of reports offered, ability to update the scanning engines regularly, 
open API or other method of writing custom scanning checks, ability to 
save point in time audits, autocrawling, proxy capability, etc.  ie. more 
generic stuff.) 

: :I try to position myself before people spend a dime on 
anything :to go out and look over their applications and environment and
:build specifications unique to their environments.

well, yes, but when your environment is wildly divergent (I'm at a 
University), then that approach doesn't always work well.

:So I guess I should conclude my rant by saying what do you mean
:by "requirements"? Do you want to evaluate which is "the best web
:app firewall in the world at blocking XSS" or "what is the best
:tool for solving my specific pains"?

Well, I'm looking for objective criteria to compare vendor products.  
(After all, formal procurement processes sometimes demand that you have 
such things ;-) ) 

Thanks,

Arin
-- 
------------------------------------------------------------------
Arin Komins			       	      akomins at uchicago.edu
Assistant Director/ENSS
University of Chicago/NSIT/ENSS			tel: (773)834-4087
1155 E. 60th St. #418	 Chicago, IL 60637	fax: (773)702-0559
------------------------------------------------------------------

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list