[WEB SECURITY] Application Categorization !!

Andre Gironda andreg at gmail.com
Thu Apr 28 17:05:51 EDT 2011


On Thu, Apr 28, 2011 at 10:52 AM, Parmendra Sharma
<s.parmendra at gmail.com> wrote:
> What are the factors based on which you put an application into one of
> the category i.e: Small, Medium and Large application. May be you see / ask
> your customer the number of dynamic pages within the apps etc..etc. What
> factors make you to decide about the right category of an application.

Scoping by number of URIs, parameters (including action/controller/%d
parameters), API calls (this especially applies to web services) as
well as components and architecture that is involved with the
execution and data flow.

The phrase, "Small", to one code review team may be different than
another team's view of "Small". Companies like Aspect Security publish
their numbers about how many lines of code that they review per month.

> Is there any tool among (Acunetix, Appscan and Webinspect) which is capable
> of telling the scanned apps falls in which category i.e: Small, Medium and
> Large

Burp Suite Professional has an "analyse target" tooltip in the Target
tab. After a full-knowledge walk of the application (note that a
spider or crawler cannot necessarily detect this appropriately), the
number of dynamic and static URIs can be calculated, along with the
HTTP methods and number of parameters per method, per URI.
Additionally, headers (including cookies) that need to be tested will
also need to be included in this calculation.

I find Burp Suite Professional to therefore be the most valuable tool
for scoping web application runtime analysis work.

However, I also appreciate WebInspect's "Crawled URLs Report" which is
a standard QA report available in that tool. It can be printed
following a crawl-only run of the WebInspect scanner (assuming that
this must be completely automated).

You can also get a similar list by using O2 and WebInspect in
coordination as described here --
http://o2platform.com/wiki/3rd_Party_Tool_-_Using_O2_with_WebInspect_files

> What is the timeframe (standard if any) you generally take to perform VA /
> PT for small, medium and large category applications for OWASP Top 10
> vulnerabilities.

Many organizations prefer to perform continuous vulnerability
assessment testing and penetration-testing, and combine them with
source code assisted penetration-tests, full-knowledge
penetration-tests, and secure application development management (e.g.
Open SAMM / Microsoft SDL).

Many organizations prefer to utilize the CWE-700 to understand
software weaknesses and usually follow the guidance from SAFEcode
around how to deal with specific CWE weaknesses. They use the CWE-700
in place of the OWASP Top 10. This is a very good idea because the
OWASP Top 10 is only a subset of the critical vulnerabilities that
could occur in applications.

> Has someone perform VA / PT on Push Technologies / Novel Technologies such
> as Lightstreamer and AMF / Livecycle / Blaze, apps like CXF. (posted this
> earlier also but did not recieve any comments....any little help will be
> quit usefull)

While I work for competing organizations, the application security
consulting company Gotham Digital Science has done lots of work with
AMF and Blaze. Their consultants publish work specifically on these
technologies that make it into conferences such as BlackHat and
Shmoocon.
http://gdssecurity.com

You will likely want to find an application security consulting
company that best fits your own personal needs. Generally, this would
be a provider that is local to your area, or that services it
frequently. I suggest a search on LinkedIn for "application security
consulting" to best help address your needs. Companies such as
Forrester and The 451 Group perform industry analysis of the major and
minor players in this industry -- so if you already have a
subscription (or don't feel confidant making these decisions alone),
be sure to check out the work that they have done.

In your area (again, these are competitors of mine, but I have no
qualms about recommending them) -- I believe Corsaire and Pure Hacking
are two companies that come to mind.

Cheers,
Andre




More information about the websecurity mailing list