|
-
August 1st, 2006, 04:43 PM
#1
 Web Vulnerability testing for the Non-technical
Does anyone know of a resource, site, or service that a person could use to scan their commerce webserver for vulnerabilities? I'm talking about something like that ShieldsUp stuff from GRC.com...something a non-technical website owner could use to verify the security of their site?
I know, I'm asking a lot. I don't believe such a thing even exists, but I figured the group would have more knowledge towards that fact that I would myself. I'm being interviewed for a news article and was asked this question (pre-interview questions, how nice of them) and honestly, I have no clue.
I know that there are serious implications for the host/owner of any such service, the first and most obvious two being #1 how do you know a malicious party isn't using your tool to do recon on target websites, and #2 how do you know a malicious party isn't using your tool to DOS a target website?
Any thoughts, input, or links would be appreciated.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
August 1st, 2006, 04:59 PM
#2
Try these guys, zen:
http://securityspace.com/sspace/index.html
It's been awhile since I used them. They have free trails, you'll need to register.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
August 1st, 2006, 05:21 PM
#3
There's also ScanAlert's "Hacker Safe" "certificate"
-
August 2nd, 2006, 03:37 AM
#4
WebInspect by SiteDynamics, Wikto by Sensepost, Nikto...
WebInspect can really suck on certain types of sites, and none will do better than manual or partially automated source review. WI isn't free
-
August 2nd, 2006, 05:22 PM
#5
I'll second the ScanAlert folks. We have used them at my last two jobs... even my CIO (completely non technical) could handle those scans 
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
-
August 2nd, 2006, 08:39 PM
#6
I know you want non-technical, but the OWASP site should be bookmarked and referenced once in a while. The .pdf web development guide is priceless.
http://www.owasp.org/index.php/Main_Page
-
August 5th, 2006, 08:45 PM
#7
Thanks guys, you're input was all helpful. Much appreciated, and I'll share the results later, when they are public.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote