Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Source code review/scanner

from [Erin Carroll] Network Security [Permanent Link]
Subject: RE: Source code review/scanner
Date: Tue, 21 Aug 2007 13:59:35 -0700 
This isn't necessarily a pen-test subject but I let it through since the
majority of problems or holes I've encountered when doing pen-testing could
have been mitigated to a large extent using this type of internal testing.
Is there a quatifiable value-add, how do tools like this affect your
approach to testing, etc. Plus, I want to see what the rest of the list has
to say about it :)

Products I would recommend are from SPI Dynamics (now HP since they were
recently bought); DevInspect and QAInspect. These tools integrate fairly
seamlessly with existing Dev and QA platforms (Visual Studio, Eclipse,
Rational, HP Quality Center, etc) and can automate a large portion of source
and QA security VA without requiring your devs to be security experts.
Pretty much click an added button in your current framework, it analyzes for
common issues (unsanitized inputs, undeclared values, BO's et al) and flags
them for the devs or QA teams to address. I'd be interested to hear what
other products are in the same space.

I'm not affiliated with SPI (just a satisfied customer) and have seen how
these products can minimize the game of security whack-a-mole at the
production level. Some of the more secure sites I've tested in the past have
had some or all of these processes and tools in place to some extent.


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 



-----Original Message-----
From: listbounce@securityfocus.com 
[mailto:listbounce@securityfocus.com] On Behalf Of xelerated
Sent: Tuesday, August 21, 2007 6:10 AM
To: pen-test@securityfocus.com
Subject: Source code review/scanner

All,
Im looking for something for another dept. to help them 
review both source code and web app code created by our 
developers. The main types being VB and ASP.

Standard manual testing will still take place, but id like to 
get something to check the obvious things before it goes into testing.
Can anyone recommend some tools for both aspects?
Due to separation of duties neither I or the others in 
network security nor the developers will be doing the source 
code testing. So im trying to find something that works for 
those with less than optimal security or coding knowledge.

Thanks for your input

--------------------------------------------------------------
----------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
--------------------------------------------------------------
----------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Port Scanning Issues, Strykar
Next by Date:  No cON Name 2007 - CALL FOR PAPERS, deese
Previous by Thread:  RE: Source code review/scanner, Shenk, Jerry A
Next by Thread:  Re: Source code review/scanner, Nikhil Wagholikar
Indexes:  [Date] [Thread] [Top] [All Lists]