[WEB SECURITY] In depth security scanning versus breadth based

Adam Muntner adam.muntner at quietmove.com
Wed Jul 8 04:26:28 EDT 2009


WebInspect and Hailstorm both perform pretty well in this regard.

You can record a specific traversal, and the scanner will record your
actions. Then later it will log back in, keep state, and do fault injection
testing etc.

If the session dies part of the way through the kind of "funnel" you
describe, the result will be unpredictable.

On Tue, Jul 7, 2009 at 9:09 PM, <robert at webappsec.org> wrote:

> > For simple web applications with no "wizard-like" logic, this might be
> > achieved... but when the application starts to get more complex, IMHO
> > you've got two ways to go:
> >
> > - Throw away the scanner, and perform manual testing, which is the
> > only real way in which you'll be sure that all the web application
> > vulnerabilities are being found. With this, I'm not saying that
>
> You make the general statement assuming that manpower is available for
> repen testing
> every parameter on every product release. The reality is most people will
> never be able
> to afford this. Not to mention hiring penetration testers doesn't scale,
> and QA is only capable
> of so much.
>
> Scanners are good at finding *certain issues* (each app/site is different),
> and as I said in my
> previous email I don't want to get into that debate/discussion. I am asking
> the list if anyone has tried
> implementing this and had good/bad luck and to share their experiences.
>
> > scanners are useless! Damn... I write one in my spare time! What I'm
> > saying is that when the web application gets really, really complex...
> > the only way to test it properly is by hand.
>
> Nobody is debating the need for deep dive pen tests, but if you wish to
> test on every release
> this is simply impossible for 99.99999999% of companies/organizations.
>
> Regards,
> - Robert
> http://www.cgisecurity.com/
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>


-- 
Adam Muntner, CISSP
Managing Partner
QuietMove, Inc.
http://www.quietmove.com

office: 1(866) 894-0459
fax: 1(866) 272-8194
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090708/434c79f3/attachment.html>


More information about the websecurity mailing list