[WEB SECURITY] In depth security scanning versus breadth based

Wilson Henriquez bosshog at gmail.com
Wed Jul 8 03:38:13 EDT 2009


Current issues our team has with running our scanning tool:

1. Integration of our scanning tool and QA's testing software. They
currently do not play with each other well, thereby, making it harder to
leverage QA's test scripts.
2. Test Data. Keeping up with test data needs for the new pieces of
functionality being introduced into every release has been tough.
3. Time. Weeding out the false positives is just time consuming.

-Wil

On Tue, Jul 7, 2009 at 9:09 PM, <robert at webappsec.org> wrote:

> > For simple web applications with no "wizard-like" logic, this might be
> > achieved... but when the application starts to get more complex, IMHO
> > you've got two ways to go:
> >
> > - Throw away the scanner, and perform manual testing, which is the
> > only real way in which you'll be sure that all the web application
> > vulnerabilities are being found. With this, I'm not saying that
>
> You make the general statement assuming that manpower is available for
> repen testing
> every parameter on every product release. The reality is most people will
> never be able
> to afford this. Not to mention hiring penetration testers doesn't scale,
> and QA is only capable
> of so much.
>
> Scanners are good at finding *certain issues* (each app/site is different),
> and as I said in my
> previous email I don't want to get into that debate/discussion. I am asking
> the list if anyone has tried
> implementing this and had good/bad luck and to share their experiences.
>
> > scanners are useless! Damn... I write one in my spare time! What I'm
> > saying is that when the web application gets really, really complex...
> > the only way to test it properly is by hand.
>
> Nobody is debating the need for deep dive pen tests, but if you wish to
> test on every release
> this is simply impossible for 99.99999999% of companies/organizations.
>
> Regards,
> - Robert
> http://www.cgisecurity.com/
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090708/dd1fe211/attachment.html>


More information about the websecurity mailing list