Hello Everyone,
I request your inputs for the questions below:
Thanks a lot.
--
Thanks and Regards:
Pam
Parmendra Sharma
Application Security Consultant
email: s.parmendra@gmail.com
On Thu, Apr 28, 2011 at 10:52 AM, Parmendra Sharma
s.parmendra@gmail.com wrote:
What are the factors based on which you put an application into one of
the category i.e: Small, Medium and Large application. May be you see / ask
your customer the number of dynamic pages within the apps etc..etc. What
factors make you to decide about the right category of an application.
Scoping by number of URIs, parameters (including action/controller/%d
parameters), API calls (this especially applies to web services) as
well as components and architecture that is involved with the
execution and data flow.
The phrase, "Small", to one code review team may be different than
another team's view of "Small". Companies like Aspect Security publish
their numbers about how many lines of code that they review per month.
Is there any tool among (Acunetix, Appscan and Webinspect) which is capable
of telling the scanned apps falls in which category i.e: Small, Medium and
Large
Burp Suite Professional has an "analyse target" tooltip in the Target
tab. After a full-knowledge walk of the application (note that a
spider or crawler cannot necessarily detect this appropriately), the
number of dynamic and static URIs can be calculated, along with the
HTTP methods and number of parameters per method, per URI.
Additionally, headers (including cookies) that need to be tested will
also need to be included in this calculation.
I find Burp Suite Professional to therefore be the most valuable tool
for scoping web application runtime analysis work.
However, I also appreciate WebInspect's "Crawled URLs Report" which is
a standard QA report available in that tool. It can be printed
following a crawl-only run of the WebInspect scanner (assuming that
this must be completely automated).
You can also get a similar list by using O2 and WebInspect in
coordination as described here --
http://o2platform.com/wiki/3rd_Party_Tool_-_Using_O2_with_WebInspect_files
What is the timeframe (standard if any) you generally take to perform VA /
PT for small, medium and large category applications for OWASP Top 10
vulnerabilities.
Many organizations prefer to perform continuous vulnerability
assessment testing and penetration-testing, and combine them with
source code assisted penetration-tests, full-knowledge
penetration-tests, and secure application development management (e.g.
Open SAMM / Microsoft SDL).
Many organizations prefer to utilize the CWE-700 to understand
software weaknesses and usually follow the guidance from SAFEcode
around how to deal with specific CWE weaknesses. They use the CWE-700
in place of the OWASP Top 10. This is a very good idea because the
OWASP Top 10 is only a subset of the critical vulnerabilities that
could occur in applications.
Has someone perform VA / PT on Push Technologies / Novel Technologies such
as Lightstreamer and AMF / Livecycle / Blaze, apps like CXF. (posted this
earlier also but did not recieve any comments....any little help will be
quit usefull)
While I work for competing organizations, the application security
consulting company Gotham Digital Science has done lots of work with
AMF and Blaze. Their consultants publish work specifically on these
technologies that make it into conferences such as BlackHat and
Shmoocon.
http://gdssecurity.com
You will likely want to find an application security consulting
company that best fits your own personal needs. Generally, this would
be a provider that is local to your area, or that services it
frequently. I suggest a search on LinkedIn for "application security
consulting" to best help address your needs. Companies such as
Forrester and The 451 Group perform industry analysis of the major and
minor players in this industry -- so if you already have a
subscription (or don't feel confidant making these decisions alone),
be sure to check out the work that they have done.
In your area (again, these are competitors of mine, but I have no
qualms about recommending them) -- I believe Corsaire and Pure Hacking
are two companies that come to mind.
Cheers,
Andre
Hi Parmendra,
I actually wanted to gather all my thoughts before i could reply to this
query of yours.
I have put my comments inline.
On Thu, Apr 28, 2011 at 11:22 PM, Parmendra Sharma s.parmendra@gmail.comwrote:
Hello Everyone,
I request your inputs for the questions below:
- What are the factors based on which you put an application into one
of the category i.e: Small, Medium and Large application. May be you see /
ask your customer the number of dynamic pages within the apps etc..etc. What
factors make you to decide about the right category of an application.
[Gaurav] - I would first like to know why do you want to categorize in
Small, Medium & Large?
- Is there any tool among (Acunetix, Appscan and Webinspect) which is
capable of telling the scanned apps falls in which category i.e: Small,
Medium and Large [Gaurav] - No tool will help you categorize.
- What is the timeframe (standard if any) you generally take to perform
VA / PT for small, medium and large category applications for OWASP Top 10
vulnerabilities. [Gaurav] - The timeframe is more or less dependent upon the
complexity of the particular webpage/website.
- Has someone perform VA / PT on Push Technologies / Novel Technologies
such as Lightstreamer and AMF / Livecycle / Blaze, apps like CXF. (posted
this earlier also but did not recieve any comments....any little help will
be quit usefull) [Gaurav] - Sorry I have not worked on Push Technologies /
Novel Technologies.
Thanks a lot.
--
Thanks and Regards:
Pam
Parmendra Sharma
Application Security Consultant
email: s.parmendra@gmail.com
--
null - Spreading the right Information
null Mailing list charter:
http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security
http://iisecurity.in
Learn information security at your own pace – eLearning programs at
http://elearning.iisecurity.in
--
Thanks & Regards
Gaurav Shah.
91-9552504002.