Re: Categories for application security testing & tools
From: Ashish Popli (apopli_at_gmail.com)
Date: 04/02/05
- Previous message: Ashish Popli: "Re: calling all software security tool vendors/freeware/open source project leads"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: secprog@securityfocus.com Date: Fri, 01 Apr 2005 23:34:15 -0500
Evans, Arian wrote:
> What: need for a Talisker or SANS-type tool-list resource for application
> security testing/analysis tools, and eventually (maybe) app-firewalls/IDS.
>
> This email: Propose categories for organizing application security tools.
>
> Proposal: Categorize by type of testing one would use the tool to perform.
>
> Detail: Plan to keep this on OWASP or my personal website.
>
> Please provide feedback on the distinctions below: if you think they make
> sense; if you'd prefer some other (e.g.-cost, color, extremeness, etc.).
>
> nota bene: this is X-posted to webappsec, secprog, and SC-L
>
> Categories:
>
> There are six common ways people use to assess an application for
> security vulnerabilities, five of which work:
>
> -Vulnerability Scanning (think Qualys, Retina)
>
> -Fault Injection/Blackboxing (think WebInspect, Scando, SPIKE, etc.)
>
> -Sandboxing for Fault Injection analysis (think Holodeck, monitoring file/reg/proc with Sysinternals
> tools, etc., combined with FI tools)
>
> -Binary Analysis (the mysteriously disappearing SmartRisk Analyzers, manual w/IDA Pro)
>
> -Static Source Code analysis (Ounce, Fortify, etc. etc. etc.)
>
> -Threat Modeling and Architectural Analysis (SecuriTree, MS TM, etc.)
>
>
> Problems: some tools cross boundaries like SecurityChecker are both
> Fault Injection and Static Source Analysis.
>
>
> Thanks,
>
> Arian Evans
> Sr. Security Engineer
> FishNet Security
>
> Phone: 816.421.6611
> Toll Free: 888.732.9406
> Fax: 816.421.6677
>
> http://www.fishnetsecurity.com
>
>
>
>
>
>
>
How about a category for *tools and processes* that make you *think*
about security during software development? For example, CLASP by Secure
Software, Inc
www.securesoftware.com/solutions/clasp.html
http://www-106.ibm.com/developerworks/rational/library/content/RationalEdge/oct04/viega/
- Previous message: Ashish Popli: "Re: calling all software security tool vendors/freeware/open source project leads"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
