[WEB SECURITY] Security Audit Software

Evans, Arian Arian.Evans at fishnetsecurity.com
Fri Jun 24 16:38:18 EDT 2005

> s/Anrin/Arin/ ;-)

Ooops. Sorry. Blame it on pills. Funny, I'm so intolerant
of people who can't cut and paste my name and then I...

> I'm not arguing against manual review.  Like most everyone

Wasn't sure where you were at on your webappsec knowledge
journey, so that's good. Agreed on the value of automation
tools. Sounds like you know what you need.

Someone on WASC, I think Caleb Sima @SPI, mentioned a project
to provide technical criteria for evaluating scanning tools.
Definitely needed. I try to go over this in my 'tools' data
but there are too many tools right now for me to keep up with
them all as I unfortunately discovered.

> Well, I'm looking for objective criteria to compare vendor products.  
> (After all, formal procurement processes sometimes demand 
> that you have such things ;-) ) 

Someone could start by making a simple non-marketing excel
matrix, if one doesn't already exist.

--Form Fill, check,
--Customize form values, check,
--parse flash/actionscript, check.

That sort of thing. I don't have the time right now but surely
someone on this list does, if one of the vendors doesn't have
one already...

Another problem is things like everyone tells you that they
"parse javascript", but there are VAST differences in the
various scanners abilities to actually parse javascript effectively.


The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list