Re: Your help gratefully received

I strongly recommend a look at the OWASP top ten paper as a start towards a list of areas to examine. Also check the very last section of the paper for a list of a few areas that are important but didn't make the top ten.

The problem you'll have is that you won't be able to find all of the top ten with automated methods. I am a strong advocate of actually reading the code. No amount of bombardment from the outside is going to uncover design flaws, logic flaws, and a huge variety of other web application flaws.

If you want to find the biggest holes in the least amount of time, my experience is that code review in combination with scanning and penetration testing is the way to go. This provides the most information to the analyst and will allow them to find problems quickly.

Security code reviews do not have to be painful expensive efforts. When done properly, they are no more expensive than external testing, yet far more comprehensive.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

• Original Message ----- From: Craig_Sullivan@Waitrose.co.uk To: webappsec@securityfocus.com Sent: Thursday, February 27, 2003 12:37 PM Subject: Your help gratefully received

Hi,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I'm conducting a web app sec review for someone and would like some advice.

I am assembling some tools that I need to use and also the areas that I am going to concentrate upon during my assessment.

The objective here is to see how well I can do against an automated appsec scanning product against a non commercial test server in the lab.

The questions I have are:

What tools do you recommend (for general and specific use e.g. proxies, scanners, site dumping etc. etc.)
What areas should I concentrate on (e.g. state management, SSL, XSS, SQL injection etc.)
What webapp security resources do you use and can recommend

Thanks very much in advance,

Regards,

Craig.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Notice: This email is confidential and may contain copyright material of the John Lewis Partnership. If you are not the intended recipient, please notify us immediately and delete all copies of this message. (Please note that it is your responsibility to scan this message for viruses).

John Lewis plc Registered in England 233462 Registered office 171 Victoria Street London SW1E 5NN

Websites: http://www.johnlewis.com and http://www.waitrose.com Received on Thu Feb 27 15:26:34 2003