[WEB SECURITY] In depth security scanning versus breadth based

bugtraq at cgisecurity.net bugtraq at cgisecurity.net
Thu Jul 9 13:47:38 EDT 2009


Agreed on previous points.

> I strongly feel that this sort of question continues to prove that "web app 
> security" is *not* strictly a "security problem" and that the QA teams must 
> be involved in testing... even if they don't fully understand the nature of 
> the work.  Security teams (traditional security personnel) simply aren't 
> equipped to handle this in *most* cases.

To me one of the largest disconnects that I see is the lack of formalized process for pen testing. 
QA is a fairly well understood concept with various processes/styles/methodologies. This includes 
processes (waterfall, agile, blah blah), test plans, regression testing, defect triage, etc... 

If I hire 2 different pen testers they will have some testing overlap but I cannot get assurances
that they will test for the same things in the same way (at the very LEAST). QA on the other hand 
utilizes test plans to assure that certain tests are retested in the same way. (I touch on this briefly @ 
http://www.qasec.com/2007/01/writing-software-security-test-cases.html). This is actually one of my core
use cases (http://projects.webappsec.org/Using-the-Threat-Classification) for the WASC Threat Classification
(http://www.webappsec.org/projects/threat/) and it has helped me out multiple times. 

I believe certain forms of security testing eventually will make it into QA security/negative test case plans but I suspect
the only people capable of doing this in the next 5-7 years will be spending lots of $ writing custom integrations, 
and figuring out how to plug it into their process. I also suspect this won't catch on until some of the following 
happen

- Regulation or compliance requiring it
- A solid methodology for integrating security testing into QA is published and revised many many times
- Better guides/documentation on how security teams can approach integrating SOME testing into QA
- Better tool integration, and education on what tools CAN/CANNOT be used for. Again this will vary on a per app basis
  and will require a customization phase in almost every situation.

Regards,
- Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/ 



> 
> Cheers.
> 
> __
> Rafal M. Los
> Security & IT Risk Strategist
> 
>  - Blog:		http://preachsecurity.blogspot.com
>  - LinkedIn:	http://www.linkedin.com/in/rmlos
>  - Twitter:    	http://twitter.com/RafalLos
> 
> --------------------------------------------------
> From: <robert at webappsec.org>
> Sent: Tuesday, July 07, 2009 7:14 PM
> To: <websecurity at webappsec.org>
> Subject: [WEB SECURITY] In depth security scanning versus breadth based
> 
> Hello Everyone,
> 
> Many automated tools are great at crawling/attacking every url they 
> discover, however fail to properly visit URL sequences
> in order. For example you must complete a 5 page process to get to the 
> functionality on page 6. Certain commercial products
> support 'macro's' where you can record those 'url sequences' in order and 
> can later audit them in order. What are the lists
> experiences with getting blackbox tools to perform this depth of review in a 
> pre/post production environment?
> 
> If you plan on replying with one of the following replies you will be 
> ignored! :)
> - Debating the types of attacks/weaknesses tools are good at finding
> - Debating source code/sca analysis vs blackbox
> - Pitching your product/service
> 
> Regards,
> - Robert A.
> http://www.cgisecurity.com/ Application Security news, and more
> http://www.webappsec.org/ WASC Co Founder and Moderator of The Web Security 
> Mailing List
> http://www.qasec.com/ Software Security Testing in QA and Development
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA 
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list