Re: Categories for application security testing & tools

From: Ashish Popli (apopli_at_gmail.com)
Date: 04/02/05

  • Next message: David A. Wheeler: "Re: secprog Digest 2 Apr 2005 19:17:38 -0000 Issue 293"
    To: secprog@securityfocus.com
    Date:  Fri, 01 Apr 2005 23:34:15 -0500
    
    

    Evans, Arian wrote:

    > What: need for a Talisker or SANS-type tool-list resource for application
    > security testing/analysis tools, and eventually (maybe) app-firewalls/IDS.
    >
    > This email: Propose categories for organizing application security tools.
    >
    > Proposal: Categorize by type of testing one would use the tool to perform.
    >
    > Detail: Plan to keep this on OWASP or my personal website.
    >
    > Please provide feedback on the distinctions below: if you think they make
    > sense; if you'd prefer some other (e.g.-cost, color, extremeness, etc.).
    >
    > nota bene: this is X-posted to webappsec, secprog, and SC-L
    >
    > Categories:
    >
    > There are six common ways people use to assess an application for
    > security vulnerabilities, five of which work:
    >
    > -Vulnerability Scanning (think Qualys, Retina)
    >
    > -Fault Injection/Blackboxing (think WebInspect, Scando, SPIKE, etc.)
    >
    > -Sandboxing for Fault Injection analysis (think Holodeck, monitoring file/reg/proc with Sysinternals
    > tools, etc., combined with FI tools)
    >
    > -Binary Analysis (the mysteriously disappearing SmartRisk Analyzers, manual w/IDA Pro)
    >
    > -Static Source Code analysis (Ounce, Fortify, etc. etc. etc.)
    >
    > -Threat Modeling and Architectural Analysis (SecuriTree, MS TM, etc.)
    >
    >
    > Problems: some tools cross boundaries like SecurityChecker are both
    > Fault Injection and Static Source Analysis.
    >
    >
    > Thanks,
    >
    > Arian Evans
    > Sr. Security Engineer
    > FishNet Security
    >
    > Phone: 816.421.6611
    > Toll Free: 888.732.9406
    > Fax: 816.421.6677
    >
    > http://www.fishnetsecurity.com
    >
    >
    >
    >
    >
    >
    >
    How about a category for *tools and processes* that make you *think*
    about security during software development? For example, CLASP by Secure
    Software, Inc
    www.securesoftware.com/solutions/clasp.html
    http://www-106.ibm.com/developerworks/rational/library/content/RationalEdge/oct04/viega/


  • Next message: David A. Wheeler: "Re: secprog Digest 2 Apr 2005 19:17:38 -0000 Issue 293"

    Relevant Pages