Home page logo
/

basics logo Security Basics mailing list archives

RE: Web apps code testing
From: "Yvan Boily" <yboily () seccuris com>
Date: Fri, 19 Mar 2004 15:01:37 -0600

Code Scanners are very useful tools that will provide some direction in how
to inspect the application for some types of implementation flaws, and web
site pen-testing tools can test for some types of attacks, however using
them to test application security is a flawed approach.  The recommendation
to use a code scanning tool to ensure that code is secure is extremely
dangerous; if you use a tool like that to check if your application is
"secure" then you are giving yourself a false sense of security.

Application design is more relevant to security than implementation;
implementation flaws are typically minor bugs which can be fixed quickly
when identified; security related design flaws typically require
redevelopment of affected areas of the application as well as introduction
of new user interface elements.

I don't disagree that using a code scanning tool, or pentesting the
application has some degree of value, but without an analysis of the
applications design, the environment it operates within (Especially
important for networked apps including websites), and the application source
code you have not given yourself anything more than a false sense of
security.  You need to identify the real risks associated with operating the
application, and from those risks determine which are acceptable and which
need to be corrected.  Code scanning tools cannot perform analysis of design
or environment, and can only detect predefined language constructs which are
deemed "risky".  A more comprehensive approach is required to test for
application level security.  Ensuring that security features of the
application address the OWASP top-ten issues would be a best first step.

Regards,
Yvan Boily
Information Security Analyst
Seccuris 

-----Original Message-----
From: Dean Saxe [mailto:Dean.Saxe () DigitalInsight com] 
Sent: Thursday, March 18, 2004 11:30 AM
To: 'Sistemas Aurensis-Sys Sec'; security-basics () securityfocus com
Subject: RE: Web apps code testing

That will only scan the server, not the code, for vulnerabilities.  I
believe the OWASP had a Java code scanner project in the 
works.  You may
also want to test the application with a product like WebInspect by
SPIDynamics (www.spidynamics.com).

-dhs

-----Original Message-----
From: Sistemas Aurensis-Sys Sec [mailto:syssec () aurensis com]
Sent: Thursday, March 18, 2004 2:29 AM
To: security-basics () securityfocus com
Subject: Web apps code testing


You can try nikto.
Nikto is a web server scanner which looks for over 2000 potentially
dangerous files/CGIs and problems on over 200 servers

http://www.cirt.net/code/nikto.shtml

-----Mensaje original-----
De: Marty [mailto:groupecci () yahoo ca]
Enviado el: miércoles 17 de marzo de 2004 1:51
Para: Sec Basic
Asunto: Web apps code testing


Hi,

I have the complete code (Java) for a website our
development team just completed.

Is there a tool I can use to make sure the code
is secure?

Thanks!

Marty

__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca

--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and 
get $545 off 
any course! All of our class sizes are guaranteed to be 10 
students or less 
to facilitate one-on-one interaction with one of our expert 
instructors. 
Attend a course taught by an expert instructor with years of 
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your 
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------


--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and 
get $545 off 
any course! All of our class sizes are guaranteed to be 10 
students or less 
to facilitate one-on-one interaction with one of our expert 
instructors. 
Attend a course taught by an expert instructor with years of 
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your 
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------

--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and 
get $545 off 
any course! All of our class sizes are guaranteed to be 10 
students or less 
to facilitate one-on-one interaction with one of our expert 
instructors. 
Attend a course taught by an expert instructor with years of 
in-the-field 
pen testing experience in our state of the art hacking lab. 
Master the skills 
of an Ethical Hacker to better assess the security of your 
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault