RE: Spi's products worth a try? Or any suggestions for developers' tool?

["Thomas Brennan" <tbrennan () datasafeservices com>]

Aman, I take it your on the "team" that is over worked -- I feel your
pain ;)

Just a couple of thoughts to help your question in a more comprehensive
way then a simple product yea/nay plug.

1a. - print out a copy of the OWASP 2.1 Guide to Building Secure Web
Applications
http://www.owasp.org/documentation/guide/guide_downloads.html and
distribute to your developers for a reading/reference to increase the
digital awareness of the individual coder.

1b. hold a internal class/webex/seminar/pizza party what ever... to
speak to the areas of development that effect your base of applications.
This will mean the testers and the coders in the same room sharing
information and working together. It is very helpful to outline the
development lifecycle and the testing lifecycle so both sides get a
understanding of the common goal and then have each group align under a
common QA/Reporting method such as DREAD.

2. - to reduce the "testing team time" we totally agree that the
development groups should perform QA testing treating security flaws in
applications as "bugs". We have seen tools (full disclosure we have some
of the following tools in our toolbox) to provide a good 30-60%+ of
catching coding flaws. I would recommend: SPI, NTO Spider, CENZIC,
AppDetective etc.... Some are better than others hence the open
commercial market, some cost more, some do more etc... and of course
don't forget about good old Nikto. (Get goggling to find more
information on those apps.)

But a combination of tool scanning, code review and a human's digital
knowledge in appsec testing is the defense-in-depth approach to finding
more vulnerabilities and using spending less in countermeasures. 

Arian Evans recently did a funny presentation of tools that you could
review at: 
http://www.owasp.org/docroot/owasp/misc/OWASP_DC_2005_Presentations/Trac
k_2-Day1/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt   Worth checking
out -- Arians a solid guy - he did a good baseline but in the end your
going to need to talk to the vendors individually, get a lab set up and
perform a evaluation of the products yourself and test apples to apples
with current versions.

Your evaluation and test results could be a nice non-vendor written
whitepaper for the community <hint hint>

P.S. - Good luck with your new Treo 650 <doh> yes we all read other
mailing lists as well - pssh - The EVDO, Samsung i730 a better value and
with bluetooth dialup your never with without a secure connection but
that' another list topic -reply ;)

Hope this puts things into a better perspective?

Thomas Brennan
DATA SAFE SERVICES
"Because Security is NOT the default"
Tel: 973-795-1046 | Fax: 973-428-0293 
Web: www.datasafeservices.com

-----Original Message-----
From: Aman Raheja [mailto:araheja () techquotes com] 
Sent: Friday, November 04, 2005 12:40 PM
To: webappsec () securityfocus com
Subject: Spi's products worth a try? Or any suggestions for developers'
tool? 

Hello
Anyone has any experiance with Spi's tools for web application
vulnerability scanning?
http://www.spidynamics.com/products/index.html
I need to suggest developers' tool so that they can self assess their
application and reduce the overhead of the testing team.
Any advice?
Thanks in advance.
Regards
Aman Raheja

http://www.techquotes.com