Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Web Site Certification

from [Adam Mikrut] Network Security [Permanent Link]
Subject: RE: Web Site Certification
Date: Thu, 27 Apr 2006 14:01:19 -0400 
MOST of these services do a solid network vulnerability scan (Nessus)
and fail miserably on web application scan quality. If you put a logo on
a web application and proclaim it is safe and trustworthy, you need to
ensure web application is actually tested correctly. A few Nessus web
nasl tests don't cut it...

Buyer beware:

If you go down the route of using a "certification" service, ask the
following questions. 

1) What application layer scanning technology is utilized? If it's built
"in-house", I would download a trial copy of a web application scanner
(SPI Dynamics or Watchfire my pref) and compare results.   
2) Do they test for all the components mentioned in the WASC?
http://www.webappsec.org/projects/threat/v1/WASC-TC-v1_0.txt
3) Do they customize the application scan policy for your web
application (all site parameters accounted for and verify crawl
quality)?

...Then make them prove it to you. 

Depending on the web application, automated testing takes you 50-75% of
the way. The quality of the policy and customized testing get you a
little bit further. However, it is very difficult task. I find it hard
to believe all this work would be done for just few hundred bucks a year
per web application. There are companies who do focused managed web
application scanning, a little more expensive but with a better end
result.

Regards, 

Adam Mikrut
CTO
DigitalStakeout, LLC
Web: www.digitalstakeout.com
Phone: 678-638-6281
Fax: 678-638-6283

Who's Watching The Watchers? DigitalStakeout! MSSP SLA Enforcement
Services

This email and any attached files are confidential and may be legally
privileged. They are meant for private use for the intended recipient(s)
only. It is strictly prohibited for anyone to copy, forward, or
distribute the enclosed content. If this message has been received in
error, please delete it along with any attached files immediately and
notify the sender by phone. 

-----Original Message-----
From: Nathaniel Hall [mailto:lists@nathanhall.net] 
Sent: Thursday, April 27, 2006 9:24 AM
To: Marco Passarella
Cc: webappsec@securityfocus.com
Subject: Re: Web Site Certification

Marco Passarella wrote:


Hi all,
what do you think about the remote services that promise your site to 
be "hacker free"?
Can you really monitor remotely the security of a site using a scanner?
Here is an example:
http://www.scanalert.com/
 


It isn't that the site is necessarily "hacker free."  They have simply
guaranteed that the site is not vulnerable to the FBI/SANS top
vulnerabilities (www.sans.org/top20/).  They also meet various credit
card requirements (VISA CISP/PCI).  Click on the "Hacker Safe" logo to
see an explanation.

--
Nathaniel Hall, GSEC GCFW GCIA


------------------------------------------------------------------------
-
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [WEB SECURITY] Fundamental error in Corsaire's paper?, Dan Kuykendall
Next by Date:  RE: [WEB SECURITY] Fundamental error in Corsaire's paper?, Amit Klein (AKsecurity)
Previous by Thread:  RE: Web Site Certification, Craig Wright
Next by Thread:  Re: Web Site Certification, Adam Tuliper
Indexes:  [Date] [Thread] [Top] [All Lists]