[WEB SECURITY] In depth security scanning versus breadth based

James Landis elspood at gmail.com
Wed Jul 8 11:51:12 EDT 2009


If your nirvana is having fully automated runtime testing performed
for every major/minor release, at some point the application itself
will need to be redesigned so that it is easy to test. There are many
advantages to pushing Web applications closer to statelessness, not
the least of which is ease of testing/QA. While it would be great if
there was a payoff in creating a "universal wizard logic tester", it
is unlikely that such a thing could reasonably exist, and would no
doubt require so much "training" that it could hardly be called fully
automated, anyway. I don't really see major scanner companies being
heavily pressured from any direction (customers or each other) to
solve this problem.

It's time that we start including security-test-driven design as a
requirement as long as we're talking about general test-driven design.

-j

On Tue, Jul 7, 2009 at 9:09 PM, <robert at webappsec.org> wrote:
>> For simple web applications with no "wizard-like" logic, this might be
>> achieved... but when the application starts to get more complex, IMHO
>> you've got two ways to go:
>>
>> - Throw away the scanner, and perform manual testing, which is the
>> only real way in which you'll be sure that all the web application
>> vulnerabilities are being found. With this, I'm not saying that
>
> You make the general statement assuming that manpower is available for repen testing
> every parameter on every product release. The reality is most people will never be able
> to afford this. Not to mention hiring penetration testers doesn't scale, and QA is only capable
> of so much.
>
> Scanners are good at finding *certain issues* (each app/site is different), and as I said in my
> previous email I don't want to get into that debate/discussion. I am asking the list if anyone has tried
> implementing this and had good/bad luck and to share their experiences.
>
>> scanners are useless! Damn... I write one in my spare time! What I'm
>> saying is that when the web application gets really, really complex...
>> the only way to test it properly is by hand.
>
> Nobody is debating the need for deep dive pen tests, but if you wish to test on every release
> this is simply impossible for 99.99999999% of companies/organizations.
>
> Regards,
> - Robert
> http://www.cgisecurity.com/
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list