RE: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities

["Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon () ge com>]

Yeah, Steve's is just a nice approach, my experience is the same, you
will hardly find a non vulnerable custom application.

Besides you will improve your internal systems security, but fix them
fast or you could suddenly have those vulnerabilities exploited in
production and some grades changed :).

Regards,
JC 

-----Original Message-----
From: Steve Pinkham [mailto:steve.pinkham () gmail com] 
Sent: Lunes, 08 de Marzo de 2010 12:04 p.m.
To: Rogan Dawes
Cc: webappsec () securityfocus com; Holger Peine; websecurity () webappsec org
Subject: Re: [WEB SECURITY] Re: Need a real Java web application with
vulnerabilities

Rogan Dawes wrote:
> Unfortunately, your first requirement seems to suggest against your
> suggestion. :-)  >  > As an open source app, the student would be able
to see the change logs,  > and any security announcements for the app,
and would be able to make  > use of those to identify known
vulnerabilities in that version of the app.
> I suggest you look for a project that may have had a history of  >
vulnerabilities (suggesting that they may still have others), but assign
> the student to review the current version of the app.
>
> Regards,
>
> Rogan

Unfortunately, as Rogan says, there's really no way for you to guarantee
there are flaws in any webapp without knowing what they are.

Based on prior experience, if you take any of your internal department
webapps of any complexity and let them work on (a non-production version
of) those, there will be flaws.  Also, finding less well known open
source projects that probably haven't been widely deployed and tested
raises the chances it has problems.  Extra points for projects that
haven't been maintained in a few years and built with slightly older
frameworks.

I don't think I've ever turned in a report at the end of an assessment
that says everything was done correctly, even when dealing with very
competent teams in frameworks with the latest defenses.  I doubt finding
flaws in an internal app or decent size but not widely deployed open
source project unmaintained since early 2000s would be very hard.

Steve
-- 
  | Steven Pinkham, Security Researcher    |
  | http://www.mavensecurity.com           |
  | GPG public key ID CD31CAFB             |


------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------