Re: WebAppSec Training Courses in UK

I'm arguing that if you have $20K to spend, you're better off doing both than one. If someone approached me and said they'd review my web application and didn't ask for the source...I'd look elsewhere. If they didn't ask for access to the staging server and some accounts, same deal.

I know it sounds strange to say doing both is the same cost. But in terms of finding the serious holes fast, the combined approach is the way to go. I like securityarchitect's analogy to a medical exam...but the conclusion he/she reached seems wrong to me. Even if I have cancer, I want the doctor to use the cat scan, take my temperature, and check my eyes. I could have West Nile virus and astigmatism.

--Jeff

Jeff Williams
Aspect Security, Inc.
www.aspectsecurity.com

• Original Message ----- From: Kevin Spett To: Jeff Williams @ Aspect ; dan@idsec.com ; glyn.geoghegan@corsaire.com ; securityarchitect@hush.com Cc: webappsec@securityfocus.com Sent: Tuesday, December 03, 2002 9:16 PM Subject: Re: WebAppSec Training Courses in UK

Of course doing both is the best solution, but it may not be economically
feasible. That's my point. I don't have figures in front of me on average
security budgets, costs of pen-tests, code reviews, etc., but I believe that
with what most people have in a security budget and with what most qualified
security professionals charge for those services, it is not possible, in most cases, to have both. Or am I missing your point?

Kevin Spett
SPI Labs
http://www.spidynamics.com/

• Original Message ----- From: "Jeff Williams @ Aspect" <jeff.williams@aspectsecurity.com> To: "Kevin Spett" <kspett@spidynamics.com>; <dan@idsec.com>; <glyn.geoghegan@corsaire.com>; <securityarchitect@hush.com> Cc: <webappsec@securityfocus.com> Sent: Tuesday, December 03, 2002 8:56 PM Subject: Re: WebAppSec Training Courses in UK

> The underlying question here is -- how do you find the most serious
that
> are extremely difficult to find with penetration testing. Likewise,
web
> app development. To be effective, they need to be able to read and
the
> best bang for your buck. Code review is way too easy and productive
to
> leave out of your balanced security breakfast.
to
> check the web server for misconfiguration issues. And the web
mean
> nearly every last one of them) don't. So let's say you've got a $20k
a
> source code auditor. Two and a half work weeks (using $200/hour and
mention
> securing multiple server configurations. An experienced pen-test team
management,
> etc. in the beginning, but most people don't have that luxury. So
security-conscious
> overhaul in policy and implementation is a great idea, as is a
complete
> manual source code and configuration audit. But in a more practical
deployed,
> and
> all of a sudden a manager says 'Hey! Make sure it's secure!' , you may
training
> is
> woefully inadequate in todays world. Penetration testing is a snapshot
also
> see
> why we the clients (yeah we as in my company and others at like minded
the
> things that should have been tested were. Secondly with 78% of attacks
is
> of
> little value. Too many companies reports read “High Vulnerability –
lines
> and
> find out you can change the page color and they have made an
incredible
> leap
> of faith from that to saying you “may” be able to login in with
another
> users username. An indicator of parameter tampering in one place can
would
> you
> take someone’s temperature? Would you look at their eyeballs? Hell No!
was
> how
> they are going to cover what I think should be included in a web
’s
> an
> assessment in itself! How are people using JNDI, LDAP JMS <insert
think
> the
> pen test comes in. But think of this. My requirements have shown that
every
> 21
> mins to each url (dumb in my opinion) or I can parse web.xml and
in
> ensuring that stuffs functioning as it should be that’s where it
belongs
> again IMHO, flamesOff(security, architect).
They
> are
> prevalent because consulting companies can pull the wool of clients
eyes
> with buzz words and hacker speak, not to mention the business model
that
> works well for the consulting companies. If you pay 40K for a hit and
$40K
> for
> the next then its not economical and the client will soon feel ripped
taking
> > >any action in reliance upon this information by persons or entities
Received on Tue Dec 3 23:24:47 2002

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek