Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

Re: Web Application Security Vulnerability testing

by Your Mother (Bishop)
on Nov 05, 2012 at 17:19 UTC ( #1002367=note: print w/replies, xml ) Need Help??

in reply to Web Application Security Vulnerability testing

I think this is a great question for learning and I hope you get some good answers. Being the resident wet-blanket I proffer: professional web security is no place for a rookie. You will miss things and you will get things wrong. There are some decent, mostly commercial, probing/fuzzing tools but there is no way to automatically and accurately assess a site's security. A karate handbook can't teach a self-defense class and web-security program can't find/fix any but the most obvious and anticipated security issues in a website.

To actually answer some of your post: cross-language tools are fine. HTTP(S) is all both sides have to speak so the client's programming language is irrelevant.

  • Comment on Re: Web Application Security Vulnerability testing

Replies are listed 'Best First'.
Re^2: Web Application Security Vulnerability testing
by squimby (Acolyte) on Nov 05, 2012 at 19:20 UTC
    Fortunately my company and boss know better than to trust me with actually implementing application security testing. I was just asked to find some resources and tools for further investigation by somebody who does in fact know what they're doing. Any advice for tools or resources--particular probing/fuzzing tools which you have a good experience with? It looks like OWASP has some good information, but from what I gather they don't make recommendations for enterprise solutions to avoid influence from corporate sponsors.
      Fortunately my company and boss know better than to trust me with actually implementing application security testing.

      Nice. But make sure everyone learns that even constant security checks won't prevent a clever attacker from finding an obscure path through your system.

      Once, one of my systems was tested by a well-known organisation for one of the clients. They found a problem with the login function: In a certain combination of operating system and database, it was possible to test account names for existence. So, an attacker could significantly reduce the number of combinations of names and passwords to be tested. Of course, this was not expected behaviour, and I removed that bug.

      But: They did not find a way in, so they did not test anything else. The client was happy with that, the system earned its "tested by $organisation" stamp, and now it was "secure" and could be used.

      It seems none of the testers even thought of calling technical support, pretending to be one of the users that (s)he found during the login tests and have the password of that account reset or revealed.

      None of the testers asked for a test account to try to attack the system from the inside.

      None of the testers asked for the source code.


      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
        I know that sentiment. The most popular phrase I hear is 'Security is a process, not a product,' and I think the second most popular one needs to be 'The weakest element in any IT network is the people who use it.' Needless to say, now we have procedures for resetting passwords and verifying users on the phone to mitigate social engineering attacks. Now I sleep better at night.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1002367]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (4)
As of 2018-05-20 12:35 GMT
Find Nodes?
    Voting Booth?