Re: Vuln Scanner for Web App Source Code

Cenzic Hailstorm and SPI Dynamics Web Inspect are vulnerability
scanners ONLY and do NOT inspect source code. Same with Paros Proxy,
this is a pen testing / VA tool more than anything.

SPI (now HP) does have a product called Devinspect that plugs into a development IDE (visual studio and eclipse) and performs some
hybrid blackbox/whitebox scanning.

Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
http://www.techlists.org/


I'd still recommend you do manual checks in addition to using a source
code scanner. You'll have to to verify the results.

-J

On 18 May 2008 04:15:50 -0000, cnanne@xxxxxxxxx <cnanne@xxxxxxxxx> wrote:
This might be a bit of a dumb question, but does anyone know of a good Vulnerability Scanner for finding faults in the actual Source Code of the Web App? Or can this task can only be done by hand?


Any feedback on this is highly appreciative



cheers,


PhoenixRbrth

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Relevant Pages

  • Re: Vuln Scanner for Web App Source Code
    ... there are plenty of source code scanners... ... in Securing Web Applications ... Get Webinar Recording and PPT Slides ...
    (Pen-Test)
  • RE: Vuln Scanner for Web App Source Code
    ... I've been doing pentests for a while, but just recently had access to the source and did a scan. ... However, if your goal is to give developers a report on code quality, perhaps as part of a pentest report, then the code scanners are only as good as webapp scanners. ... This might be a bit of a dumb question, but does anyone know of a good Vulnerability Scanner for finding faults in the actual Source Code of the Web App? ... in Securing Web Applications ...
    (Pen-Test)
  • Re: Vuln Scanner for Web App Source Code
    ... Fortify and Ounce both have source code scanners and both are quite ... in Securing Web Applications ... Get Webinar Recording and PPT Slides ...
    (Pen-Test)
  • Re: How do VA scans work technically
    ... Also the scanners you have mentioned is broad scanners which tries to cover broad range of systems. ... more targetted scanners like web-application scanners does more targetted scanning. ... Get 45 Min Video and PPT Slides ...
    (Pen-Test)