Re: Anyone hear of ANSA (Asp.Net Security Analyser)??

From: Dinis Cruz (dinis_at_ddplus.net)
Date: 10/12/03

  • Next message: Malev: "Re: Definition of Psychological Operations:"
    Date: 11 Oct 2003 17:38:22 -0700
    
    

    Hello Nomad

    The company that sent that email was DDPlus (www.ddplus.net) which I
    am the managing director. We are London based security company (as you
    can see from our website) and the objective of that email was to ask
    you (as an ISP) if your servers that provide Asp.Net shared hosting
    are secure.

    Just to clarify, ANSA (Asp.Net Security Analyser) is not a commercial
    application' or a 'home made DLL'. ANSA is a web based tool, written
    in C# and VB.NET, and only contains .aspx pages (i.e. Asp.Net code).

    The idea is for you (as an ISP) to 'execute' those scripts in an
    normal user account, with the same environment as all your normal
    hosting clients.

    This is the equivalent of us ordering and paying for a hosting
    account, or the equivalent of any of your existent client downloading
    the security tool from it's public workspace in GotDotNet
    (http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=36ae9a2c-8740-4b52-924e-320edf64fba5)
    and uploading it to their area.

    Since the scripts will be executed with the rights and security
    settings that you currently give to your web hosting clients, its
    results will tell us if your servers are secure or not.

    The second point that I want to clarify is that ANSA is an Open Source
    application, which means that you can look at the source code and see
    what is going on.

    Finally the reason that we are looking for ISPs that have secure
    servers is because we want to recommend 'secure shared hosting'
    companies to our clients.

    You can also contact me directly if you required any further
    information.

    Best regards

    Dinis Cruz
    .Net Security Consultant
    DDPlus (www.ddplus.net)

    "NomadPgmr" <nomadpgmr@hotmail.com> wrote in message news:<SLshb.254728$mp.178119@rwcrnsc51.ops.asp.att.net>...
    > I work for a web hosting company and recently received an email from someone
    > interested in secure hosting. They asked me to run the following scripts on
    > one of our web servers, saying they would only host with a company whose
    > server passed all of these tests. I have not done so and if we were even
    > tempted to do so, would only do it on an isolated server that we formated
    > the hard drives on afterwards. We don't even like to run some commercial
    > applications or home made DLL's, so no reason to start now. Has anyone heard
    > about these scripts or gotten a similar email?
    >
    > Body of email follows:
    > Thanks,
    > Roger
    >
    > Hello, I am interested in your Asp.Net hosting services and would like to
    > know more details about its security.
    >
    > I work for a security company (***********) and we need to find a secure ISP
    > to host some of our client's websites (particularly this one:
    > **************)
    >
    > We also want to start offering our own ******* branded packages in our
    > website.
    >
    > We will be reselling 'Secure Asp.Net' hosting packages using servers/ISPs
    > that successfully 'fail' all ANSA (Asp.Net Security Analyser) security
    > tests.
    >
    > So, please download the latest version of ANSA from GotDotNet
    > (http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=36ae9a2c-87
    > 40-4b52-924e-320edf64fba5) and if your servers are securely configured (i.e.
    > there is no 'high' or 'critical' and only some 'medium' classification
    > results) send me details about your reseller hosting packages.


  • Next message: Malev: "Re: Definition of Psychological Operations:"

    Relevant Pages

    • Re: [fw-wiz] I wonder, how to test..
      ... >responsible for security at our company, ... >of my head make me wonder how secure it all is. ... Internally locking down the servers: ... administrator's privileges if he managed to execute code with webserver ...
      (Firewall-Wizards)
    • Re: Web Hosting / and Site Security Question
      ... for secure managed hosting. ... Web Hosting / and Site Security Question ... confident that this company is secure and reliable. ...
      (Security-Basics)
    • Re: How secure is software X?
      ... in my opinion a software can either be secure or not secure. ... to classify security like that would be to condemn every ... How in-depth a fuzzing to we apply for this standard? ... For example, SMTP servers have a pretty standard interface, ...
      (Bugtraq)
    • Re: How to access I/O port directly in VC6.0?
      ... several multinationals, worked with the research division in one case, and ... Their "security" as far as servers was a joke; ... servers, which WERE secure, including VPN access, but the corporate ...
      (microsoft.public.vc.mfc)
    • Ensuring that a sever and website are secure
      ... we would like to be as sure as possible that the servers and data on ... them are secure before we launch this service. ... Several people have recommended having a security audit done once our ... technical staff believe the website and servers are secure. ...
      (comp.security.misc)