Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners

[Albert <caruabertu () gmail com>]

While monoculture tests can, at present, be only a part of the entire
test suite, the need to create secure applications will no doubt, in a
manner analogous to the standardization of mechanical components,
results in a massive reduction in the degrees of freedom available to
application developers - they shall increasingly need to be able to
use standard tools and standard components to create different
applications.

One way of forcing their hand could be to develop an excellent and
reliable test matrix and method which is suitable for one set of tools

Industry pressure will however only come about when there is a
financial or legal penalty for the failure of applications as at
present it is usually the users not the developers of an application
who suffer if the application fails.

a

George Bernard Shaw "A reasonable man adapts himself to his
environment. An unreasonable man persists in attempting to adapt his
environment to suit himself. Therefore, all progress depends on the
unreasonable man."


|-----Original Message-----
|From: "René Palige" [mailto:R.Palige () gmx de]
|Sent: 24 August 2006 15:45
|To: enis.karaarslan () ege edu tr; webappsec () securityfocus com
|Subject: Re: [WEB SECURITY] RE: Environment for testing WebApp
|Security Scanners
|
|Hi!
|
|I already stumbled across Stanford SecuriBench. There are 2
|points troubling me:
|
|First, the SecuriBench is solely based on Java. That way it
|represents some kind of technological monoculture: Several
|people already mentioned scanners might deliver differing
|results depending on the technology on which they are used.
|That way SecuriBench might be _part of a complete TestSuite,
|but not the only one.
|
|Second, it has been publically available for quite some time.
|Scanner vendors might already have adopted their products
|accordingly.
|Benchmarking results would be rather useless if the flaws were
|not previously unknown for sure.
|
|Regards,
|René Palige
|
|On Thu, 24 Aug 2006 09:08:29 +0200, Enis Karaarslan
|<enis.karaarslan () ege edu tr> wrote:
|
|> Hello all,
|>
|> I am currently working on web/web application security issues in
|> enterprise networks as an academic study. I think, the fundamental
|> problem (especially in campus networks), there is usually no
|"network
|> awareness".
|> In enterprise networks, hundreds of different web servers and
|> different web applications can be present, where usually
|nobody knows
|> detailed info about web servers and applications running on them.
|>
|> Maybe most of you know,
|> For security testing environment there is Stanford
|Securibench, which
|> is a set of open source real-life programs to be used as a testing
|> ground for static and dynamic security tools. Release .91a
|focuses on
|> Web-based applications written in Java.
|> http://suif.stanford.edu/~livshits/securibench/
|>
|> There are many web/ web application security scanners. If anyone
|> intrested in this subject and also for a joint work, s/he is always
|> welcome.
|>
|> Enis Karaarslan
|> Ege University
|>
|>> I added the WASC list, since many folks there are sensitive to this
|>> same subject.
|>>
|>>> -----Original Message-----
|>>> From: René Palige [mailto:rwp () gmx de]
|>>>
|>>> I?m currently working on my bachelor thesis which is about the
|>>> development  of a testsuite for different Web Application Security
|>>> Scanners. My goal is to provide an environment
|>>
|>> This, I discovered, was very challenging. When I post the
|OWASP Tools
|>> v3, one section of it is going to be about my trials and
|>> tribulations, mistakes, misfires and general stupidity in trying to
|>> scientifically, systematically evaluate tools, which culminated in
|>> the HEWA2 book.
|>>
|>> No one has done a good job at this, most reviews are just
|plain crap
|>> (sorry, everyone, it's the truth; if there's a good review
|to defend
|>> please step up to the plate).
|>>
|>> I have been holding off releasing v3 (which is a narrative
|doc) until
|>> I can put it out for peer review before making a final, hard, PDF.
|>> (should I just post to the list and let everyone chime in?...I'm
|>> afraid to do this b/c some of it is _not_nice_) I hope someone will
|>> wikify the end product.
|>>
|>>> I?m planning to use OWASPs WebGoat as some kind of groundwork.
|>>
|>> Not bad, but you will need more. Unless your thesis is "how
|>> effectively do webappscanner vendors code to detect issues in
|>> WebGoat?"
|>>
|>>> Would it be best to focus on "real-life scenarios"?
|>>
|>> That's what I fell upon. It's a bit more realistic.
|>>
|>> You get no tautology from the scanner vendors. You get real
|use-case
|>> scenarios, and a story to tell.
|>>
|>>> Or rather to cover as many
|>>> aspects of a special class of vulnerabilities as possible?
|>>
|>> This, also, I tackled, and have an evolving-complexity XSS
|generator;
|>> I have a couple of types now and continue to add more as time
|>> permits, and it is use specifically to generate XSS-vuln pages of
|>> varying filter/encoding complexity.
|>>
|>> It really should be in SiteGenerator (owasp.net) but it
|helps me make
|>> sure I'm not misunderstanding something to force myself to write
|>> complicated mistakes out by hand. :)
|>>
|>> Maybe I'll just rip the scanner eval story and post just that.
|>>
|>> Very cool, we need some smart grad work here.
|>>
|>> Arian J. Evans
|>>
|>>
|>>
|---------------------------------------------------------------------
|>> -------
|>> The Web Security Mailing List:
|>> http://www.webappsec.org/lists/websecurity/
|>>
|>> The Web Security Mailing List Archives:
|>> http://www.webappsec.org/lists/websecurity/archive/
|>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
|>>
|>>
|>
|>
|>
|>
|>
|----------------------------------------------------------------------
|> ---
|> Sponsored by: Watchfire
|>
|> Watchfire was recently named the worldwide market leader in Web
|> application security assessment tools by both Gartner and IDC.
|> Download a free trial of AppScan today and see why more customers
|> choose AppScan then any other solution. Try it today!
|>
|https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008V
|> nB
|>
|----------------------------------------------------------------------
|> ----
|>
|
|
|
|---------------------------------------------------------------
|----------
|Sponsored by: Watchfire
|
|Watchfire was recently named the worldwide market leader in
|Web application security assessment tools by both Gartner and IDC.
|Download a free trial of AppScan today and see why more
|customers choose AppScan then any other solution. Try it today!
|
|https://www.watchfire.com/securearea/appscancamp.aspx?id=701500
000008VnB
|---------------------------------------------------------------
|-----------
|
|