[WEB SECURITY] In depth security scanning versus breadth based
jerry.mangiarelli at td.com
Wed Jul 8 06:41:22 EDT 2009
I would have to agree towards a manual process. Logic that spans across multiple pages requires an educated trial and error process. Inference observations is the way to go.
Jerry Mangiarelli, CISSP, CEH
Technology Risk Management and Information Security
TD Bank Financial Group
Bus: 519-663-1577, Mobile: 519-670-6090
jerry.mangiarelli at td.com
----- Original Message -----
From: robert at webappsec.org <robert at webappsec.org>
To: Andres Riancho <andres.riancho at gmail.com>
Cc: robert at webappsec.org <robert at webappsec.org>; websecurity at webappsec.org <websecurity at webappsec.org>
Sent: Wed Jul 08 00:09:24 2009
Subject: Re: [WEB SECURITY] In depth security scanning versus breadth based
> For simple web applications with no "wizard-like" logic, this might be
> achieved... but when the application starts to get more complex, IMHO
> you've got two ways to go:
> - Throw away the scanner, and perform manual testing, which is the
> only real way in which you'll be sure that all the web application
> vulnerabilities are being found. With this, I'm not saying that
You make the general statement assuming that manpower is available for repen testing
every parameter on every product release. The reality is most people will never be able
to afford this. Not to mention hiring penetration testers doesn't scale, and QA is only capable
of so much.
Scanners are good at finding *certain issues* (each app/site is different), and as I said in my
previous email I don't want to get into that debate/discussion. I am asking the list if anyone has tried
implementing this and had good/bad luck and to share their experiences.
> scanners are useless! Damn... I write one in my spare time! What I'm
> saying is that when the web application gets really, really complex...
> the only way to test it properly is by hand.
Nobody is debating the need for deep dive pen tests, but if you wish to test on every release
this is simply impossible for 99.99999999% of companies/organizations.
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
NOTICE OF CONFIDENTIALITY
This communication including any information transmitted with it is
intended only for the use of the addressees and is confidential.
If you are not an intended recipient or responsible for delivering
the message to an intended recipient, any review, disclosure,
conversion to hard copy, dissemination, reproduction or other use
of any part of this communication is strictly prohibited, as is the
taking or omitting of any action in reliance upon this communication.
If you receive this communication in error or without authorization
please notify us immediately by return e-mail or otherwise and
permanently delete the entire communication from any computer,
disk drive, or other storage medium.
If the above disclaimer is not properly readable, it can be found at
AVERTISSEMENT DE CONFIDENTIALITE
Ce courriel, ainsi que tout renseignement ci-inclus, destiné uniquement
aux destinataires susmentionnés, est confidentiel. Si vous
n'êtes pas le destinataire prévu ou un agent responsable de la
livraison de ce courriel, tout examen, divulgation, copie, impression,
reproduction, distribution, ou autre utilisation d'une partie de ce
courriel est strictement interdit de même que toute intervention ou
abstraction à cet égard. Si vous avez reçu ce message par erreur ou
sans autorisation, veuillez en aviser immédiatement l'expéditeur par
retour de courriel ou par un autre moyen et supprimer immédiatement
cette communication entière de tout système électronique.
Si l'avis de non-responsabilité ci-dessus n'est pas lisible, vous
pouvez le consulter à www.td.com/francais/legale
More information about the websecurity