Evans, Arian wrote:
What: need for a Talisker or SANS-type tool-list resource for application
security testing/analysis tools, and eventually (maybe) app-firewalls/IDS.
This email: Propose categories for organizing application security tools.
Proposal: Categorize by type of testing one would use the tool to perform.
Detail: Plan to keep this on OWASP or my personal website.
Please provide feedback on the distinctions below: if you think they make
sense; if you'd prefer some other (e.g.-cost, color, extremeness, etc.).
nota bene: this is X-posted to webappsec, secprog, and SC-L
Categories:
There are six common ways people use to assess an application for
security vulnerabilities, five of which work:
-Vulnerability Scanning (think Qualys, Retina)
-Fault Injection/Blackboxing (think WebInspect, Scando, SPIKE, etc.)
-Sandboxing for Fault Injection analysis (think Holodeck, monitoring file/reg/proc with Sysinternals
tools, etc., combined with FI tools)
-Binary Analysis (the mysteriously disappearing SmartRisk Analyzers, manual w/IDA Pro)
-Static Source Code analysis (Ounce, Fortify, etc. etc. etc.)
-Threat Modeling and Architectural Analysis (SecuriTree, MS TM, etc.)
Problems: some tools cross boundaries like SecurityChecker are both
Fault Injection and Static Source Analysis.
Thanks,
Arian Evans
Sr. Security Engineer
FishNet Security
Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677
http://www.fishnetsecurity.com
How about a category for *tools and processes* that make you *think*
about security during software development? For example, CLASP by Secure
Software, Inc
www.securesoftware.com/solutions/clasp.html
http://www-106.ibm.com/developerworks/rational/library/content/RationalEdge/oct04/viega/
