Hello Everyone, I request your inputs for the questions below: - What are the factors based on which you put an application into one of the category i.e: Small, Medium and Large application. May be you see / ask your customer the number of dynamic pages within the apps etc..etc. What factors make you to decide about the right category of an application. - Is there any tool among (Acunetix, Appscan and Webinspect) which is capable of telling the scanned apps falls in which category i.e: Small, Medium and Large - What is the timeframe (standard if any) you generally take to perform VA / PT for small, medium and large category applications for OWASP Top 10 vulnerabilities. - Has someone perform VA / PT on Push Technologies / Novel Technologies such as Lightstreamer and AMF / Livecycle / Blaze, apps like CXF. (posted this earlier also but did not recieve any comments....any little help will be quit usefull) Thanks a lot. -- Thanks and Regards: Pam Parmendra Sharma Application Security Consultant email: s.parmendra@gmail.com

On Thu, Apr 28, 2011 at 10:52 AM, Parmendra Sharma <s.parmendra@gmail.com> wrote: > What are the factors based on which you put an application into one of > the category i.e: Small, Medium and Large application. May be you see / ask > your customer the number of dynamic pages within the apps etc..etc. What > factors make you to decide about the right category of an application. Scoping by number of URIs, parameters (including action/controller/%d parameters), API calls (this especially applies to web services) as well as components and architecture that is involved with the execution and data flow. The phrase, "Small", to one code review team may be different than another team's view of "Small". Companies like Aspect Security publish their numbers about how many lines of code that they review per month. > Is there any tool among (Acunetix, Appscan and Webinspect) which is capable > of telling the scanned apps falls in which category i.e: Small, Medium and > Large Burp Suite Professional has an "analyse target" tooltip in the Target tab. After a full-knowledge walk of the application (note that a spider or crawler cannot necessarily detect this appropriately), the number of dynamic and static URIs can be calculated, along with the HTTP methods and number of parameters per method, per URI. Additionally, headers (including cookies) that need to be tested will also need to be included in this calculation. I find Burp Suite Professional to therefore be the most valuable tool for scoping web application runtime analysis work. However, I also appreciate WebInspect's "Crawled URLs Report" which is a standard QA report available in that tool. It can be printed following a crawl-only run of the WebInspect scanner (assuming that this must be completely automated). You can also get a similar list by using O2 and WebInspect in coordination as described here -- http://o2platform.com/wiki/3rd_Party_Tool_-_Using_O2_with_WebInspect_files > What is the timeframe (standard if any) you generally take to perform VA / > PT for small, medium and large category applications for OWASP Top 10 > vulnerabilities. Many organizations prefer to perform continuous vulnerability assessment testing and penetration-testing, and combine them with source code assisted penetration-tests, full-knowledge penetration-tests, and secure application development management (e.g. Open SAMM / Microsoft SDL). Many organizations prefer to utilize the CWE-700 to understand software weaknesses and usually follow the guidance from SAFEcode around how to deal with specific CWE weaknesses. They use the CWE-700 in place of the OWASP Top 10. This is a very good idea because the OWASP Top 10 is only a subset of the critical vulnerabilities that could occur in applications. > Has someone perform VA / PT on Push Technologies / Novel Technologies such > as Lightstreamer and AMF / Livecycle / Blaze, apps like CXF. (posted this > earlier also but did not recieve any comments....any little help will be > quit usefull) While I work for competing organizations, the application security consulting company Gotham Digital Science has done lots of work with AMF and Blaze. Their consultants publish work specifically on these technologies that make it into conferences such as BlackHat and Shmoocon. http://gdssecurity.com You will likely want to find an application security consulting company that best fits your own personal needs. Generally, this would be a provider that is local to your area, or that services it frequently. I suggest a search on LinkedIn for "application security consulting" to best help address your needs. Companies such as Forrester and The 451 Group perform industry analysis of the major and minor players in this industry -- so if you already have a subscription (or don't feel confidant making these decisions alone), be sure to check out the work that they have done. In your area (again, these are competitors of mine, but I have no qualms about recommending them) -- I believe Corsaire and Pure Hacking are two companies that come to mind. Cheers, Andre

- What are the factors based on which you put an application into one
of the category i.e: Small, Medium and Large application. May be you see /
ask your customer the number of dynamic pages within the apps etc..etc. What
factors make you to decide about the right category of an application.
[Gaurav] - I would first like to know why do you want to categorize in
Small, Medium & Large?


- Is there any tool among (Acunetix, Appscan and Webinspect) which is
capable of telling the scanned apps falls in which category i.e: Small,
Medium and Large [Gaurav] - No tool will help you categorize.


- What is the timeframe (standard if any) you generally take to perform
VA / PT for small, medium and large category applications for OWASP Top 10
vulnerabilities. [Gaurav] - The timeframe is more or less dependent upon the
complexity of the particular webpage/website.


- Has someone perform VA / PT on Push Technologies / Novel Technologies
such as Lightstreamer and AMF / Livecycle / Blaze, apps like CXF. (posted
this earlier also but did not recieve any comments....any little help will
be quit usefull) [Gaurav] - Sorry I have not worked on Push Technologies /
Novel Technologies.

Hi Parmendra, I actually wanted to gather all my thoughts before i could reply to this query of yours. I have put my comments inline. On Thu, Apr 28, 2011 at 11:22 PM, Parmendra Sharma <s.parmendra@gmail.com>wrote: > Hello Everyone, > > I request your inputs for the questions below: > > > - What are the factors based on which you put an application into one > of the category i.e: Small, Medium and Large application. May be you see / > ask your customer the number of dynamic pages within the apps etc..etc. What > factors make you to decide about the right category of an application. > [Gaurav] - I would first like to know why do you want to categorize in > Small, Medium & Large? > > > - Is there any tool among (Acunetix, Appscan and Webinspect) which is > capable of telling the scanned apps falls in which category i.e: Small, > Medium and Large [Gaurav] - No tool will help you categorize. > > > - What is the timeframe (standard if any) you generally take to perform > VA / PT for small, medium and large category applications for OWASP Top 10 > vulnerabilities. [Gaurav] - The timeframe is more or less dependent upon the > complexity of the particular webpage/website. > > > - Has someone perform VA / PT on Push Technologies / Novel Technologies > such as Lightstreamer and AMF / Livecycle / Blaze, apps like CXF. (posted > this earlier also but did not recieve any comments....any little help will > be quit usefull) [Gaurav] - Sorry I have not worked on Push Technologies / > Novel Technologies. > > Thanks a lot. > > > -- > Thanks and Regards: > Pam > > Parmendra Sharma > Application Security Consultant > email: s.parmendra@gmail.com > > -- > null - Spreading the right Information > null Mailing list charter: > http://null.co.in/section/about/null_list_charter/ > > This list is supported by Institute of Information Security > http://iisecurity.in > Learn information security at your own pace – eLearning programs at > http://elearning.iisecurity.in > -- Thanks & Regards Gaurav Shah. 91-9552504002.