WebApp Sec mailing list archives
Re: Web Application Analysis Tools?
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Thu, 12 Dec 2002 14:08:39 -0500
Flawfinder (http://www.dwheeler.com/flawfinder/), RATS, and ITS4 are all nicely discussed in this article http://www.linuxjournal.com//article.php?sid=5673. Mainly they focus on "generic" problems like buffer overflows and TOCTOU. My guess is that you would be far better off taking a good hard look at the OWASP guide and/or some of the web application security books out there, and doing a code review yourself. You'll want to focus on the problems that are most likely to present serious risks to your site, like SQL injection, XSS, error handling, crypto problems, etc... Check the recent "top ten" thread for more. --Jeff Jeff Williams jeff.williams () aspectsecurity com Aspect Security, Inc. www.aspectsecurity.com ----- Original Message ----- From: Kevin Spett To: David Simcik ; Webappsec Sent: Thursday, December 12, 2002 1:47 PM Subject: Re: Web Application Analysis Tools? RATS audits PHP, Perl, Python and C/C++. I haven't used it, so I can't attest to how valuable the results are. In any case, there's a cool image on the RATS site: http://www.securesoftware.com/ Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "David Simcik" <dave () simcik com> To: "Webappsec" <webappsec () securityfocus com> Sent: Thursday, December 12, 2002 12:50 PM Subject: Web Application Analysis Tools?
Where I work, we've (read: I) have spent a considerable amount of time focusing in on locking-down our sites/servers on the system level, from
say,
IIS down, through a variety of ways. I should point out that we're a
small
web development shop in academia. I'd now like to focus on our web application source now as well. Are there any analysis/auditing tools
out
there (especially free/inexpensive ones) that will help with this? I
suspect
there aren't any "one size fits all" type solutions out there for this,
but
I have to try. Thanks! David
Current thread:
- RE: Web Application Analysis Tools? Lars Troen (Dec 12)
- <Possible follow-ups>
- Web Application Analysis Tools? David Simcik (Dec 12)
- Re: Web Application Analysis Tools? Kevin Spett (Dec 12)
- Re: Web Application Analysis Tools? Jeff Williams @ Aspect (Dec 12)
- Re: Web Application Analysis Tools? Kevin Spett (Dec 12)
- Re: Web Application Analysis Tools? Martin Eiszner (Dec 12)
- Re: Web Application Analysis Tools? Kevin Spett (Dec 12)