Web Vulnerability testing for the Non-technical
Results 1 to 7 of 7

Thread: Web Vulnerability testing for the Non-technical

  1. #1
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Question Web Vulnerability testing for the Non-technical

    Does anyone know of a resource, site, or service that a person could use to scan their commerce webserver for vulnerabilities? I'm talking about something like that ShieldsUp stuff from GRC.com...something a non-technical website owner could use to verify the security of their site?

    I know, I'm asking a lot. I don't believe such a thing even exists, but I figured the group would have more knowledge towards that fact that I would myself. I'm being interviewed for a news article and was asked this question (pre-interview questions, how nice of them) and honestly, I have no clue.

    I know that there are serious implications for the host/owner of any such service, the first and most obvious two being #1 how do you know a malicious party isn't using your tool to do recon on target websites, and #2 how do you know a malicious party isn't using your tool to DOS a target website?

    Any thoughts, input, or links would be appreciated.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Try these guys, zen:

    http://securityspace.com/sspace/index.html

    It's been awhile since I used them. They have free trails, you'll need to register.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    There's also ScanAlert's "Hacker Safe" "certificate"

  4. #4
    WebInspect by SiteDynamics, Wikto by Sensepost, Nikto...

    WebInspect can really suck on certain types of sites, and none will do better than manual or partially automated source review. WI isn't free

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    I'll second the ScanAlert folks. We have used them at my last two jobs... even my CIO (completely non technical) could handle those scans

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    I know you want non-technical, but the OWASP site should be bookmarked and referenced once in a while. The .pdf web development guide is priceless.

    http://www.owasp.org/index.php/Main_Page

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Thanks guys, you're input was all helpful. Much appreciated, and I'll share the results later, when they are public.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •