Re: Experiences with Web application vulnerability assessment (1) software (2) companies

[Darwin Macatiag <DMacatiag () MTSAC EDU>]

Static code analyzers tend to be extremely noisy and can be confusing 
unless the developer is familiar with secure coding practices.  If your 
developers are web developers, they can get a lot of information from 
http://www.owap.org.  There's a section there on code reviews.  Even for 
non-web developers it can be extremely helpful.  For others you can check 
SANS secure development program.

If they have the time for self study the following books are very good:
Secure Programming with Static Analysis (Addison-Wesley Software Security 
Series) 
by Brian Chess, Jacob West 

The Art of Software Security Assessment: Identifying and Preventing 
Software Vulnerabilities 
by Mark Dowd, John McDonald, Justin Schuh

Thanks,
Darwin




Bob Doyle <bobdoyle () KELLOGG NORTHWESTERN EDU> 
Sent by: The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>
02/29/2008 03:35 PM
Please respond to
The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
Re: [SECURITY] Experiences with Web application vulnerability assessment 
(1) software (2) companies






Has anybody looked into or used any static code analyzers like SPI/HP’s 
devInspect plug-in for Visual Studio to supplement process elements like 
design and code review? 
 
I’m looking for additional tools that can help our developer’s find 
security holes before the dynamic scanners catch it in Q+A or production.
 
Thanks,
Bob
 
 
 
 
From: Alex [mailto:alex.everett () UNC EDU] 
Sent: Thursday, February 28, 2008 11:11 AM
Subject: Re: Experiences with Web application vulnerability assessment (1) 
software (2) companies
 
Darwin,
 
That is really the right place to be involved. However, it doesnt 
necessarily solve the problem that a lot of applications are already in 
production and were never designed with security requirements. 
Additionally, the people who designed or were in charge may no longer be 
available.
 
-Alex
 

From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Darwin Macatiag
Sent: Thursday, February 28, 2008 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experiences with Web application vulnerability 
assessment (1) software (2) companies

I've been involved in the development process in the form of security 
design reviews and code reviews as well as the manual and automatic webapp 
pentests in the private sector.  A lot of times it turned out the most 
productive use of time is spent during the design reviews.  The major 
security issues are found during this time and the amount of time spent is 
pretty small (second only to an automated pentest).  The code review will 
tend to locate the most security issues however it tends to be extremely 
time consuming but some of the automated tools such as Fortify 
(commercial) and PMD (open source) help.  Pentests in QA and production 
were used as the last stopgap since things always fall through the cracks 
in large projects. 

Darwin 
  


"curtw () siu edu" <curtw () SIU EDU> 
Sent by: The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU> 
02/27/2008 09:09 PM 


Please respond to
The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>



To
SECURITY () LISTSERV EDUCAUSE EDU 
cc

Subject
Re: [SECURITY] Experiences with Web application vulnerability assessment 
(1) software (2) companies
 








I've used various webapp assessment scanners over the years and 
have found value in them, especially for the bruteforce-try-out-
many-directories-and-filename issues and generic SQL injection 
indicators, but they only go so far. Manual assessment has been 
of more value to me, however it usually takes a long time. Using 
Paros, webscarab or other proxy (I'm wanting to try out Burp but 
haven't had the opportunity yet) and carefully analyzing how 
things are being processed has been very useful. 

I'm curious to know others experiences with consultants and 
vendors when webapp assessment is not performed in-house. I'm 
sure I'm not the only one who struggles to keep up with this 
fast moving area while keeping up with many other fast-moving 
areas at the same time (and trying to keep some sanity!)

cw


---------Included Message----------
> Date: 27-feb-2008 16:59:16 -0600
> From: "Halliday,Paul" <Paul.Halliday () NSCC CA>
> Reply-To: "The EDUCAUSE Security Constituent Group 
Listserv" <SECURITY () LISTSERV EDUCAUSE EDU>
> To: <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Experiences with Web application 
vulnerability assessment (1) software (2) companies
> Seconded. 
>
> Automated tools are great for quickly identifying potential 
problem areas or to satiate your resident auditor with a pretty 
graph. If this is where the assessment stops however, you are 
doing yourself a disservice. The Achilles heel in most well 
designed web applications is likely to be missed by all but the 
most persistent, thorough and oftentimes unorthodox eye. It is 
here that these solutions usually outlive their usefulness. Save 
your money and invest in skilled people.
> That said, has anyone played with CDC'c  Goolag Scanner yet? ;)
>
> -p
>
> ________________________________
>
> From: The EDUCAUSE Security Constituent Group Listserv on 
behalf of Hull, Dave
> Sent: Wed 2/27/2008 4:41 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Experiences with Web application 
vulnerability assessment (1) software (2) companies
> I have used Web Inspect, but it's been a year and a half. My 
experience
> was that it was decent, but like many similar products had a 
high number
> of false positives nor does it catch everything.
>
> For really critical web applications nothing beats a well 
trained Q&A
> team with time, tools and access to the source code. Again it's 
been a
> year and half since I have done line-by-line code review 
professionally,
> but at that time it was more effective at finding flaws than 
any of the
> automated tools I tried. Obviously it's not as fast to do it by 
hand.
> It's that old trade off between fast, cheap and accurate. Pick 
two.
> --
> Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI
> Director of Technology
> KU School of Architecture & Urban Planning
> Tel. 785.864.2629
> Fax  785.864.5393
>
> "The free world says that software is the embodiment of 
knowledge about
> technology, which needs to be free in the same way that 
mathematics is
> free."
> -- Eben Moglen, Software Freedom Law Center
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Morrow Long
> Sent: Wednesday, February 27, 2008 11:51 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Experiences with Web application 
vulnerability
> assessment (1) software (2) companies
>
> Have any schools had an experiences with Web application 
security 
> vulnerability assessment
>
> (1) software -- (nstalker, appscan, etc.)
>
> (2) companies / consultants who perform such services
>
> Post to the list or to me.  I'll summarize.
>
> H. Morrow Long
> University Information Security Officer
> Director -  Information Security Office
---------End of Included Message----------