RE: Web apps code testing

From: Yvan Boily (yboily_at_seccuris.com)
Date: 03/19/04

  • Next message: Fernando Gont: "Re: ICMP question"
    To: "'Dean Saxe'" <Dean.Saxe@DigitalInsight.com>, <security-basics@securityfocus.com>
    Date: Fri, 19 Mar 2004 15:01:37 -0600
    
    

    Code Scanners are very useful tools that will provide some direction in how
    to inspect the application for some types of implementation flaws, and web
    site pen-testing tools can test for some types of attacks, however using
    them to test application security is a flawed approach. The recommendation
    to use a code scanning tool to ensure that code is secure is extremely
    dangerous; if you use a tool like that to check if your application is
    "secure" then you are giving yourself a false sense of security.

    Application design is more relevant to security than implementation;
    implementation flaws are typically minor bugs which can be fixed quickly
    when identified; security related design flaws typically require
    redevelopment of affected areas of the application as well as introduction
    of new user interface elements.

    I don't disagree that using a code scanning tool, or pentesting the
    application has some degree of value, but without an analysis of the
    applications design, the environment it operates within (Especially
    important for networked apps including websites), and the application source
    code you have not given yourself anything more than a false sense of
    security. You need to identify the real risks associated with operating the
    application, and from those risks determine which are acceptable and which
    need to be corrected. Code scanning tools cannot perform analysis of design
    or environment, and can only detect predefined language constructs which are
    deemed "risky". A more comprehensive approach is required to test for
    application level security. Ensuring that security features of the
    application address the OWASP top-ten issues would be a best first step.

    Regards,
    Yvan Boily
    Information Security Analyst
    Seccuris

    > -----Original Message-----
    > From: Dean Saxe [mailto:Dean.Saxe@DigitalInsight.com]
    > Sent: Thursday, March 18, 2004 11:30 AM
    > To: 'Sistemas Aurensis-Sys Sec'; security-basics@securityfocus.com
    > Subject: RE: Web apps code testing
    >
    > That will only scan the server, not the code, for vulnerabilities. I
    > believe the OWASP had a Java code scanner project in the
    > works. You may
    > also want to test the application with a product like WebInspect by
    > SPIDynamics (www.spidynamics.com).
    >
    > -dhs
    >
    > -----Original Message-----
    > From: Sistemas Aurensis-Sys Sec [mailto:syssec@aurensis.com]
    > Sent: Thursday, March 18, 2004 2:29 AM
    > To: security-basics@securityfocus.com
    > Subject: Web apps code testing
    >
    >
    > You can try nikto.
    > Nikto is a web server scanner which looks for over 2000 potentially
    > dangerous files/CGIs and problems on over 200 servers
    >
    > http://www.cirt.net/code/nikto.shtml
    >
    > -----Mensaje original-----
    > De: Marty [mailto:groupecci@yahoo.ca]
    > Enviado el: miércoles 17 de marzo de 2004 1:51
    > Para: Sec Basic
    > Asunto: Web apps code testing
    >
    >
    > Hi,
    >
    > I have the complete code (Java) for a website our
    > development team just completed.
    >
    > Is there a tool I can use to make sure the code
    > is secure?
    >
    > Thanks!
    >
    > Marty
    >
    > __________________________________________________________
    > Lèche-vitrine ou lèche-écran ?
    > magasinage.yahoo.ca
    >
    > --------------------------------------------------------------
    > -------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and
    > get $545 off
    > any course! All of our class sizes are guaranteed to be 10
    > students or less
    > to facilitate one-on-one interaction with one of our expert
    > instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field
    > pen testing experience in our state of the art hacking lab. Master the
    > skills
    > of an Ethical Hacker to better assess the security of your
    > organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > --------------------------------------------------------------
    > --------------
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and
    > get $545 off
    > any course! All of our class sizes are guaranteed to be 10
    > students or less
    > to facilitate one-on-one interaction with one of our expert
    > instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field
    > pen testing experience in our state of the art hacking lab. Master the
    > skills
    > of an Ethical Hacker to better assess the security of your
    > organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > --------------------------------------------------------------
    > --------------
    >
    > --------------------------------------------------------------
    > -------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and
    > get $545 off
    > any course! All of our class sizes are guaranteed to be 10
    > students or less
    > to facilitate one-on-one interaction with one of our expert
    > instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field
    > pen testing experience in our state of the art hacking lab.
    > Master the skills
    > of an Ethical Hacker to better assess the security of your
    > organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > --------------------------------------------------------------
    > --------------
    >
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Fernando Gont: "Re: ICMP question"

    Relevant Pages

    • RE: restore Administrator password
      ... >> Ethical Hacking at the InfoSec Institute. ... >> Attend a course taught by an expert instructor with years of ... >> pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: fax software in the domain
      ... You could add an extra layer of security by changing by connecting the ... Ethical Hacking at the InfoSec Institute. ... Attend a course taught by an expert instructor with years of ...
      (Security-Basics)
    • RE: Odd Pen-test: Security Camera
      ... a ton of security holes in it... ... > pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Pen-Test)
    • RE: Windows SUS
      ... > Ethical Hacking at the InfoSec Institute. ... > Attend a course taught by an expert instructor with years of ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Network Traffic Monitor
      ... > Ethical Hacking at the InfoSec Institute. ... > Attend a course taught by an expert instructor with years of ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)