[WEB SECURITY] In depth security scanning versus breadth based

Mangiarelli, Jerry jerry.mangiarelli at td.com
Wed Jul 8 06:41:22 EDT 2009


I would have to agree towards a manual process. Logic that spans across multiple pages requires an educated trial and error process. Inference observations is the way to go.


Best regards,

Jerry Mangiarelli, CISSP, CEH
Technology Risk Management and Information Security
TD Bank Financial Group
Bus: 519-663-1577, Mobile: 519-670-6090
jerry.mangiarelli at td.com

----- Original Message -----
From: robert at webappsec.org <robert at webappsec.org>
To: Andres Riancho <andres.riancho at gmail.com>
Cc: robert at webappsec.org <robert at webappsec.org>; websecurity at webappsec.org <websecurity at webappsec.org>
Sent: Wed Jul 08 00:09:24 2009
Subject: Re: [WEB SECURITY] In depth security scanning versus breadth based

> For simple web applications with no "wizard-like" logic, this might be
> achieved... but when the application starts to get more complex, IMHO
> you've got two ways to go:
> - Throw away the scanner, and perform manual testing, which is the
> only real way in which you'll be sure that all the web application
> vulnerabilities are being found. With this, I'm not saying that

You make the general statement assuming that manpower is available for repen testing 
every parameter on every product release. The reality is most people will never be able
to afford this. Not to mention hiring penetration testers doesn't scale, and QA is only capable
of so much.  

Scanners are good at finding *certain issues* (each app/site is different), and as I said in my 
previous email I don't want to get into that debate/discussion. I am asking the list if anyone has tried
implementing this and had good/bad luck and to share their experiences. 

> scanners are useless! Damn... I write one in my spare time! What I'm
> saying is that when the web application gets really, really complex...
> the only way to test it properly is by hand.

Nobody is debating the need for deep dive pen tests, but if you wish to test on every release
this is simply impossible for 99.99999999% of companies/organizations.  

- Robert

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

This communication including any information transmitted with it is 
intended only for the use of the addressees and is confidential. 
If you are not an intended recipient or responsible for delivering 
the message to an intended recipient, any review, disclosure, 
conversion to hard copy, dissemination, reproduction or other use 
of any part of this communication is strictly prohibited, as is the 
taking or omitting of any action in reliance upon this communication. 
If you receive this communication in error or without authorization 
please notify us immediately by return e-mail or otherwise and 
permanently delete the entire communication from any computer, 
disk drive, or other storage medium.

If the above disclaimer is not properly readable, it can be found at 
Ce courriel, ainsi que tout renseignement ci-inclus, destiné uniquement 
aux destinataires susmentionnés,  est confidentiel.  Si vous 
n'êtes pas le destinataire prévu ou un agent responsable de la 
livraison de ce courriel, tout examen, divulgation, copie, impression, 
reproduction, distribution, ou autre utilisation d'une partie de ce 
courriel est strictement interdit de même que toute intervention ou 
abstraction à cet égard.  Si vous avez reçu ce message par erreur ou 
sans autorisation, veuillez en aviser immédiatement l'expéditeur par 
retour de courriel ou par un autre moyen et supprimer immédiatement 
cette communication entière de tout système électronique.

Si l'avis de non-responsabilité ci-dessus n'est pas lisible, vous 
pouvez le consulter à www.td.com/francais/legale

More information about the websecurity mailing list