RE: Application Assessment

From: Mark Curphey (mark@curphey.com)
Date: Thu Aug 11 2005 - 11:52:26 EDT

• Next message: Daniel Miessler: "Re: Nmap/netwag problem."
• Previous message: Philip: "New Cíalís CHEWABLES! Save 60%! NEW!"
• In reply to: Ory Segal: "RE: Application Assessment"
• Next in thread: Glyn Geoghegan: "Re: Application Assessment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Seems like it would be pretty valuable to publish an independent (not by the
vendors or the vendors consortium) review of performance the web app
scanners. Last time I looked the trial agreements prevented publication of
comparisons and results. I know of a few magazines that would be happy to
publish the results and I would volunteer to organize the testing.

-----Original Message-----
From: Ory Segal [mailto:osegal@watchfire.com]
Sent: Thursday, August 11, 2005 6:16 AM
To: goenw
Cc: pen-test@securityfocus.com; Webappsec
Subject: RE: Application Assessment

 Hi,

You should also check: http://www.webappsec.org (Web Application Security
Consortium)

With regards to utilities, you can download the free Watchfire Powertools
(HTTP Proxy, HTTP request editor, etc.), here's the link:
http://www.watchfire.com/securityzone/download/default.aspx

At the same link, you can also download eval versions of Watchfire's AppScan
product (An automated application security scanner).

You can also find basic and advanced whitepapers on the subject at:
http://www.watchfire.com/news/whitepapers.aspx

-Ory

-----Original Message-----
From: Glyn Geoghegan [mailto:glyng@corsaire.com]
Sent: Thursday, August 11, 2005 4:48 AM
To: goenw
Cc: pen-test@securityfocus.com; Webappsec
Subject: Re: Application Assessment

On 8 Aug 2005, at 12:53, goenw wrote:

> Hi,
>
> anybody have experience with application assessment ? I am a network
> guy, dont know much about the apps PT.
> 1. is there any tools that allow me to do the assessment throughly ?

If you're talking web-applications, check out www.owasp.org for a wealth of
information on the subject. You may also want to take a look at the
webappsec mailing list at www.securityfocus.com.

Typically, the kind of tools you'll need are the personal-proxy category,
allowing you to intercept and modify communications between the client and
server - see Paros Proxy, Odysseus and Burp Proxy, for example.

There are fully automated tools, but in my personal experience the manual
approach has worked more effectively.

Fat client/binary assessment is a slightly different (and arguably more
complex) beast, and probably off-topic for this list.

> 2. should i have external party conduct this, what are the things i
> should expect from them (success criteria) ?
> any comments are appriciated.

That depends on how confident you are with your abilities, the drivers for
the assessment and a wealth of factors. Normally, some coding or
development background is essential to identify and understand potential
vulnerabilities.

Check out www.application-testing.com for our guide on the world of
Application Security Assessments.

--
-------------------------------------------------------
G l y n   G e o g h e g a n                   BSc, ARCS
Principal Consultant                       Corsaire Ltd
3 Tannery House, Tannery Lane
Send, Surrey, GU23 7EF, UK      UK: +44 (0)1483 226 000
http://www.corsaire.com        Fax: +44 (0)1483 226 001
-------------------------------------------------------
----------------------------------------------------------------------------
--
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN
by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity thefts
and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: Daniel Miessler: "Re: Nmap/netwag problem."
• Previous message: Philip: "New Cíalís CHEWABLES! Save 60%! NEW!"
• In reply to: Ory Segal: "RE: Application Assessment"
• Next in thread: Glyn Geoghegan: "Re: Application Assessment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:44 EDT