[WEB SECURITY] Need a vulnerable XML Web Service

Andre Gironda andreg at gmail.com
Wed Jun 9 13:52:51 EDT 2010

On Wed, Jun 9, 2010 at 3:37 AM, Ory Segal <SEGALORY at il.ibm.com> wrote:
> You know - not everyone is Andre Gironda :-)  Not everyone knows web application security as well as you do. Using Burp proxy, and other manual tools, is not always the right solution for everybody. Some people, either don't have the time, or the resources, to learn about how to fuzz web services manually. That is why, they prefer working with automated scanners.

My job in the application security community is to
#1 Job: Rid us of the phrases "Manual" and "Automated" (and any
derivations such as `manually')
#2 Job: Optimize a method to attract and retain the right kind of
pre-assessed talent to be web application security experts much better
than myself
#3 Job: Operationalize a way to solve broad-reaching and sweeping
problems in web application security by understanding and recognizing
our limited instructional capital, social capital, and most
importantly -- individual capital

1) Use the words "Peripheral Security Testing" and "Adversarial
Security Testing" instead

2) Quiz potentials on their Multiple Intelligences and identify
learners that gravitate towards intrapersonal learning and at least
one other kind of learning

3) Leverage outsourced usability testing, dev-testing, and other forms
of quality testing and combine their efforts with Peripheral Security
Testing Tools such as Fortify PTA, FiddlerCap or Fiddler2 with Casaba
Watcher, Burp Suite Pro's passive analysis, and Google Ratproxy

> Yes, we are all aware that scanners are far from perfect, and that given enough resources and time, manual work will probably find more issues, but sometimes, people have to find the balance between what they can and want to do.

There is little to be called "manual" about the way that I use Burp
Suite Pro. There is little to be called "automated" about the way that
I use app scanners. You are using the wrong words.

> Seriously, in 2010, I thought we'd already be after that "scanners are evil, we should all use shell scripts" phase ;-)

This is not what I'm saying, but it does seem to prove my point. I
mean, what's more automated than a "shell script"?


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn

More information about the websecurity mailing list