You should probably make it into a real project if this is for your company.
First, formulate your objectives/mission. Establish your legal and business'
requirements. Research and validate your options, formulate a methodology,
implement the methodology, then measure the results. Plan to followup at
selected intervals.
Your plan of attack is to: Learn web app security, gather some tools, then
pen-test your own system.
You may want to check out SecFocus' article:
http://www.securityfocus.com/infocus/1809 Also, try WebGoat:
http://www.owasp.org/software/webgoat.html This project is a teaching
environment for Web Application Security. Once you are familiar with
ins-outs of web sec, you can use those skills to independantly test your
system. Next, familarize yourself with the top 20 security vulnerabilities
http://www.sans.org/top20/
Then check out http://www.insecure.org/tools.html for the Top 75 Security
Tools. Try WebScarab http://www.owasp.org/software/webscarab.html and
finally http://www.owasp.org/documentation/testing.html OWASP's Testing
Project.
Design your company's methodology, implement it, and followup.
Or hire someone to do all this for you!
--
Christopher Canova, Student
canovac@earthlink.net
http://home.earthlink.net/~canovac
-----Original Message-----
From: Gare [mailto:gare@wanadoo.es]
Sent: Thursday, November 04, 2004 2:05 PM
To: webappsec@securityfocus.com
Subject: Check security
I what know if there is any software to test the security of a web app, some
app that can throw attacks to my web application as if it were a hacker.
I know, and use, rats to scan the code of my php scripts, but I would like
to find a soft that can perform a test in running conditions, before I put
my app in my production server.
Any idea?
