RE: Testing Application vulnerability tools



As for checking the front end and platform you can use Nikto, Paros and
obviously Nessus, but those likely wont find tons of unique holes in the
app. As for the code, .Net unfortunately doesn't receive a lot of open
source love, but you can try fxcop.
http://www.gotdotnet.com/Team/FxCop/

It's a code analysis tool for the .NET framework

I wouldn't say it's phenomenal by any means, but its better than
nothing.

It will only find the most ridiculous glaring holes and not very well at
that. Keep in mind this tool is very primitive.

http://samate.nist.gov/index.php/Source_Code_Security_Analyzers

Some free CR tools...

Also, you could try a demo license of DevInspect from SPI Dynamics.

--
db

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of WALI
Sent: Saturday, February 17, 2007 11:22 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Testing Application vulnerability tools

I have a team of software developers involved in writing code for HR
management application. They have put the first module payroll online
but
everyday, we get reports of users getting access to areas they
shouldn't.
The software team is involved in continues debugging and patching.

Is there a tool I can use to do software code review (.NET)

I know it's also design issue but there should be a way I can at least
check the front end (http) interface for common vulnerabilities?