hi,
Is there any opensource tool to test web application security for known vulnerabilities ?
How do they compare to tools like AppScan QA ?
Any information is highly appreciated and am sure will shed some light.
Thanks,
Rich.
Printable View
hi,
Is there any opensource tool to test web application security for known vulnerabilities ?
How do they compare to tools like AppScan QA ?
Any information is highly appreciated and am sure will shed some light.
Thanks,
Rich.
You could have a look at Paros, (can`t remember the URL, I'm sure Goggle will know). Its failry good and no worse then AppScan.
Thanks
1. Is there any article/post anywhere that lists different web application security testing products and compare them ?
2. What are the "n" things that a human consultant should do in testing a website's security besides using a vulnerability scanning tool ?
For websites security, SiteDigger of foundStone can assess how vulnerable you website is!
It utilize Google to fulfil its functions, for this purpose you have to get your own Google API Key.
Enjoy the party!!!
Kautilya, I know infoworld had some reviews of network vulnerability assessment tools a while back, not sure if there is anything out there on app specific tools.
SiteDigger is primarily concerned with finding out what info is available about your site via Goggle.
As to t hings that you nee to do for an assessment, there are many methodologies out there, as well as lots of books, and lots of opinions. PM me if you can`t find anything and I`ll mail you some stuff.
well you could pay the big bucks for Eeye's retina scanner or try nessus which is open source and included with Helix a live cd .
I don't think so, SiteDigger is used to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.Quote:
SiteDigger is primarily concerned with finding out what info is available about your site via Goggle.
You can Click Here to find some more information about it.
1. Is there any article/post anywhere that lists different web application security testing products and compare them ?
2. What are the "n" things that a human consultant should do in testing a website's security besides using a vulnerability scanning tool ?
"web application security testing products "
Opeth, it does that by using Goggle (hence the use of the Goggle API's) to search for weaknesses in your site that can be accessed by Goggle (i.e Google hacks). At least thats what it seems to do when I run it. The options it has are Goggle search strings.
Whereas Paros, Appscan, web inspect etc... look for things like Xsite scripting, SQL injection, etc...
You can use Achilles to check for get/post data that should/should not be there, or be editable, use something like nessus to check for vulnerabilities in your server technolog(y/ies).
You asked what are the 'n' things that should be done to ensure security, well, you could do many things, it depends upon how far you want/need to take it. First things first, always ensure that the code written for the application is secure (that being that it doesn't keep track of any information such as usernames, passwords, and other such things for anything more than page scope, because unless it's on HTTPS it won't be encrypted), make sure that any underlying connections are secured (i.e. dissallow root login to MySQL from anywhere except the machine), and keep any passwords for the web application encrypted in the database, I personally like to md5 them before putting them into the DB, and then md5 them before I check them against the DB., You could also make a habit of changing passwords one every 2 weeks or so, always making them completely different. Use role-based access control on the application, etc.
Always remember to ensure that your system is patched and updated...
Tools that check security are always good, but security should never be an after thought that is overlooked until project completion, instead it should be part of the system implementation from its inception.
For secure programming techniques, I'm sure google has a wealth of information regarding this, just search for secure programming.
Good Luck,
You could use parts of OSSTMM
http://www.isecom.org/osstmm/
and OWASP have a pen test for apps guide
http://www.owasp.org/documentation/t...plication.html
If I were to start a small company and offer services in the GLBA compliance area
what is the approach that I should take ?
What tools do I need ? (Do I need tools ?)
What legal formalities should I meet ?
K, please don't take this the wrong way, but if you have to ask these questions, it suggests that you don't have enough knowledge or experience in this area, and probably don't have any business starting a company offering this service. I'd love to be a cardio thorasic surgeon (becuase of the money they make, and the limited hours they work), but going to alt.surgeons.heart and asking questions about "How do I invent a new and innovative surgical method so I can get a patent and get rich?" isn't likely to get a favorable response.
Get a job with another company providing these services, and learn OJT.Quote:
Originally posted here by kautilya
If I were to start a small company and offer services in the GLBA compliance area
what is the approach that I should take ?
Your second question, asking for ratification of the first, is a good indicator of my initial point.Quote:
What tools do I need ? (Do I need tools ?)
Any and all of the legal formalities for your locale, including compliance with GLBA, business standards, business licensing, and others.Quote:
What legal formalities should I meet?
---
Like I mentioned, I'm not trying to harp on you, but this forum is not really a 'come ask a question and expect to be given all encompassing answers' type of place. That may not be your intent, but that is how some of your posts come across.
Participate, search for info on a subject (AO search AND via google) before you post a question, and you're likely to get a much different response.