WebApp Sec mailing list archives
RE: [WEB SECURITY] RE: Web Application Scanners Comparison
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Wed, 28 Jan 2009 21:16:37 -0000
I know some of you disagree - but maybe we can get some intelligent discourse around this?
maybe... :) I personally don't think there is any only one way to test a web app, in the same way that there isn't only one way to develop it. Targeted testing is good, but may provide limited coverage for the time expended. Whilst crawling can be a bit of a blunderbuss, but can pick-out obscure stuff that you'll not typically find by any other approach, unless you spend a disproportionate amount of time manually analysing every page in infinite detail. The best balance is a little of column A and a little of column B (*), which is where the value of a person driving the process beats a point-and-click tool every time. We regularly provide assessment projects to clients that have bought and use one of the web scanners within their dev or QA teams, and when we come back with a collection of show-stopper issues that weren't picked up by the scanner, we have to take a deep breath and explain that marketing material may not be entirely true. The real problem here though is perception. A web scanner isn't an assessment; it may support one, but it isn't one of itself. Buying one and expecting it to find all the issues in every app is unrealistic. Selling it as doing so is pants-on-fire material. :o Martin... (*) tm Dave Ryan, all rights reserved. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] RE: Web Application Scanners Comparison bugtraq (Jan 28)
- <Possible follow-ups>
- RE: [WEB SECURITY] RE: Web Application Scanners Comparison Martin O'Neal (Jan 28)