Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Categories for application security testing & tools

from [Evans, Arian] Network Security [Permanent Link]
Subject: Categories for application security testing & tools
Date: Wed, 2 Mar 2005 12:01:11 -0600 
What: need for a Talisker or SANS-type tool-list resource for application
security testing/analysis tools, and eventually (maybe) app-firewalls/IDS.

This email: Propose categories for organizing application security tools.

Proposal: Categorize by type of testing one would use the tool to perform.

Detail: Plan to keep this on OWASP or my personal website.

Please provide feedback on the distinctions below: if you think they make
sense; if you'd prefer some other (e.g.-cost, color, extremeness, etc.).

nota bene: this is X-posted to webappsec, secprog, and SC-L

Categories:

There are six common ways people use to assess an application for
security vulnerabilities, five of which work:

-Vulnerability Scanning (think Qualys, Retina)
 
-Fault Injection/Blackboxing (think WebInspect, Scando, SPIKE, etc.) 

-Sandboxing for Fault Injection analysis (think Holodeck, monitoring 
file/reg/proc with Sysinternals
tools, etc., combined with FI tools) 

-Binary Analysis (the mysteriously disappearing SmartRisk Analyzers, manual 
w/IDA Pro) 

-Static Source Code analysis (Ounce, Fortify, etc. etc. etc.) 

-Threat Modeling and Architectural Analysis  (SecuriTree, MS TM, etc.)


Problems: some tools cross boundaries like SecurityChecker are both
Fault Injection and Static Source Analysis.


Thanks,
 
Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Categories for application security testing & tools, Evans, Arian <=
Previous by Date:  Re: php - inject code into $_SERVER ?, C. Church
Next by Date:  Re: Insecure Programming Examples, sec_user
Previous by Thread:  Re: php - inject code into $_SERVER ?, C. Church
Next by Thread:  Re: Insecure Programming Examples, sec_user
Indexes:  [Date] [Thread] [Top] [All Lists]