-
January 25th, 2005, 02:42 PM
#1
Member
security test consultant
I want to be a consultant for web apps security testing.
Why would anybody need a consultant if they already have some opensource tool to do application vulnerability tests ?
Any points ?
-
January 25th, 2005, 02:46 PM
#2
Detecting vulnerabilities is one thing. Fixing them and educate your customer how to avoid them in the future is another.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
-
January 25th, 2005, 06:07 PM
#3
The answer is very simple. A vulnerabilty scanner is unable to identify logical flaws within the application that cause security risks.
Further to that a most app scanners have problems in spidering a site correctly and maintaining correct state. They also have great problems with forms that have to be completed in a sequence, ie form 1, then form 2, then form 3.
But in there plus side, they are very good at static checks, ie looking for default files, and searching for backups of used files.
So in reality for app security test you need both, because if you were do all the checks manully, as a consultant you wont get any work because your quotes would be too big.
SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
January 25th, 2005, 06:32 PM
#4
Security Scanners are good at finding apps that have known flaws.Like SittingDuck said they tend to miss some stuff.
Penetration testing is more than looking for apps with vulnerablities. It also involves checking your configuration of these apps. Testing your site for other vulnerablities such as sql injection, or cross site scripting or any number of things that an app scanner cant fully test.
A penetration tester is also more skilled with a Vulnerability Scanning tool as well. While anyone can run a scan someone who has used it over time knows how to configure it for you specific network as well as configuring it with optimal settings for the most information.
A full penetration test should consist of scanning and attempting to break in with the human element.
That which does not kill me makes me stronger -- Friedrich Nietzche
-
January 25th, 2005, 10:42 PM
#5
SPI Dynamics makes some pretty decent tools for automated testing, but they even indicate it takes a human with judgement and experience to comprehensively distill the results of an automated scan to evaluate the true threat. A program can test SQL Injection queries hella faster than a human can, but will the output be trully useful to a bad guy? The human could tell a lot easier than any bot could, I'd put money on it.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 26th, 2005, 05:02 PM
#6
Member
Thanks for the teriffic insight.
If I were to argue that "application firewalls" may eventually cutting down any service offerings (say I offer a service with a human using an open source tool and his own techniques) , would someone of you participate in that arguement ?
-
January 26th, 2005, 08:21 PM
#7
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
January 26th, 2005, 08:51 PM
#8
Re: security test consultant
Why would anybody need a consultant if they already have some opensource tool to do application vulnerability tests ?
Because just rely on security automated tools is the dumbest attitude on a company.
Its like have no guards because "i have a total unbreakable safe and i dont need anybody to take care of it"
And IMHO, a vulnerability test or a penetration tests REQUIRES a security specialist.
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
January 27th, 2005, 07:04 AM
#9
Member
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
-
January 27th, 2005, 08:28 AM
#10
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
For your own sake I hope you don't actually beleave your own bullshit.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|