Penetration Testing: RE: Vuln Scanner for Web App Source Code

[FF <as1812 () gmail com>]

Quick answer is to look at fortify and ouncelab software scanners.  I've been doing pentests for a while, but just 
recently had access to the source and did a scan. 

It was like having a cheatsheet during the test.  Very cool indeed.

However, if your goal is to give developers a report on code quality, perhaps as part of a pentest report, then the 
code scanners are only as good as webapp scanners.  

They can increase a testers througput, and increase consistency over a number of tests, but they cannot replace a 
senior developer or pentester that can configure the scans and interpret the results to produce a meaningful report.

You might consider taking a look at the NIST samate site for a complete overview of static analysis tools...as well as 
others in this space.

// FF

-----Original Message-----
From: cnanne () gmail com
Sent: Sunday, May 18, 2008 12:15 AM
To: pen-test () securityfocus com
Subject: Vuln Scanner for Web App Source Code

This might be a bit of a dumb question, but does anyone know of a good Vulnerability Scanner for finding faults in the 
actual Source Code of the Web App? Or can this task can only be done by hand?


Any feedback on this is highly appreciative



cheers,


PhoenixRbrth

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------