[WEB SECURITY] In depth security scanning versus breadth based

Thu Jul 9 17:43:09 EDT 2009

> 
> bugtraq at cgisecurity.net wrote on 7/9/2009 12:47 PM: 
> > - Better tool integration, and education on what tools CAN/CANNOT be used for. Again this will vary on a per app basis
> >   and will require a customization phase in almost every situation.
> 
> Ed Bellis has an interesting tool called Conduit [1] that will import the results from a variety of VA tools and "normalize" their results into a common format, which can then be confirmed and imported into bug tracking/QA systems for remediation.  There's a video of him talking about it at SnowFROC09 where is explains how it grew out of a need at Orbitz to better manage, track and remediate security issues in web apps, networks and databases [2].

I should have been more clear. More specifically the ability to suck in urls/posts/sample data from QA test cases into a format
these tools can use. Many tools have support for defect filing into mercury products and the like.

Regards,
- Robert

> 
> - Bil
> 
> 
> [1] https://conduit.honeyapps.com/
> [2] http://video.google.com/videoplay?docid=-8396241750899139680
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA