Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Web Application Security

RE: Web Application Security

From: Ofer Shezaf <ofers_at_Breach.com>
Date: Wed, 12 Mar 2008 08:12:26 +0200

Zack wrote:
> The other option from a Web Application Firewall is to
> use a black box tester and look for vulnerabilities
> within your Web application. I personally think that
> is a better approach since you are "fixing" the source
> of potential vulnerabilities rather than "hiding" them
> behind a firewall.

Are you sure that by black box testing you actually fix the vulnerabilities?
The last time I checked, vulnerability scanners did not claim to modify the
code in any way. I assume you would agree that scanners just point to
vulnerabilities requiring the programmers to fix them. If your web site
operator takes down the site the moment a vulnerability is found and your
programmers fix it within a reasonable time frame to keep the site down (3
minutes?) you are fine with scanners. However I assume that your situation
is different.
 
While I agree that using scanners to empower programmers to make their code
better, I don't think it is a one stop solution for protection your
application. Application firewalls will enable you to dynamically patch
those vulnerabilities until the programmers come around to fixing them and
provide protection from zero-day attacks until the next time you run your
scanners. My colleague Ivan Ristic wrote just yesterday a blob entry
describing use cases for WAFs:
http://www.modsecurity.org/blog/archives/2008/03/web_application_4.html.
 
~ Ofer

Ofer Shezaf
Work: ofers_at_breach.com, +972-9-9560036 #212
Personal: ofer_at_shezaf.com, +972-54-4431119

VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Mar 12 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos