Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Open Source Application Vulnerability Assessment Tools

from [Stephen de Vries] Network Security [Permanent Link]
Subject: Re: Open Source Application Vulnerability Assessment Tools
Date: Thu, 28 Sep 2006 15:05:09 +0700 

Hi Allen,


On 28 Sep 2006, at 02:40, Brokken, Allen P. wrote:

On this list we talk a lot about various vendor provided tools quite a
bit. In general it appears most solutions are Windows-centric in their
installation even if they work against multiple platforms.

With the prevalence of LAMP systems I would figure there must be some
means of doing a security assessment on their applications with native
tools.  It seems odd to me that there isn't a NESSUS equivalent for
application testing.  I'm wondering what is available from the Open
Source community in the way of

* Black Box web assessment software

- Paros (www.parosproxy.org) - Java based, does automated spidering and scanning
- WebScarab (www.owasp.org) - Java based, more manual approach, very flexible and includes a beanshell console
- Burp (http://www.portswigger.net/proxy/)
- Odysseus proxy http://www.wastelands.gen.nz/odysseus/index.php
- Spike proxy http://www.immunitysec.com/resources-freesoftware.shtml
- and many more

* Source code assessment software

- LAPSE Source code analysis, for scanning Java applications
(http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project)
- Findbugs, Checkstyle, PMD (you can google them), all source code analysis tools for finding common Java software bugs, have some elementary security tests but are fully customisable so you can easily write your own signatures.


regards,

--
Stephen de Vries
Corsaire Ltd
E-mail: stephen@corsaire.com
Tel:    +44 1483 226014
Fax:    +44 1483 226068
Web:    http://www.corsaire.com





-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning), Jan P. Monsch
Next by Date:  Google Security Team Contacts?, Dave Wichers
Previous by Thread:  Open Source Application Vulnerability Assessment Tools, Brokken, Allen P.
Next by Thread:  Re: Open Source Application Vulnerability Assessment Tools, Aman Raheja
Indexes:  [Date] [Thread] [Top] [All Lists]