Re: [SC-L] What do you like better Web penetration testing or static code analysis?

[Kevin W. Wall]

Matt Parsons wrote:
> What do you like doing better as application security professionals, web
> penetration testing or static code analysis?

McGovern, James F. (P+C Technology) wrote:
> Should a security professional have a preference when both have
> different value propositions? While there is overlap, a static analysis
> tool can find things that pen testing tools cannot. Likewise, a pen test
> can report on secure applications deployed insecurely which is not
> visible to static analysis.
>
> So, the best answer is I prefer both...

While I realize that both are necessary and each have their own
pros and cons, my personal preference is to do static code analysis,
especially if it involves old-fashioned manual code inspections.

The reason for that I like getting closer to the source code.
Maybe that's just because it seems like I'm getting back to
my development roots. (I worked as a developer for the first half
of my career.) I find the advantages of dealing with source code
is that you are able to spot the exact problem as well as offer
more specific fixes. And working at the source code level gives
me more opportunities to work closely with the development teams
where I am able to explain to them in terms of their own code what
is going on and how a vulnerability can be fixed.

When approaching vulnerabilities from a pen testing level, I find
all to often that the developers do not believe that there is anything
wrong or if they do, they don't believe that it is serious enough that
it needs to be fixed. (For instance, it is not uncommon that when
developers are presented with results from a pen test that show that
they have non-persistent (reflective) XSS vulnerabilities present,
that I get the response "Yeah, but that's not going to happen. First
you would have to get a authenticated user to click on that link and
they would never do that." Apparently they don't believe that those
doing phishing ever catch any victims.) However, when I'm dealing with
source code, that objection generally does not come up...perhaps
because I can show them right then and there how to remediate the
issue.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."-- Nathaniel Borenstein, co-creator of MIME
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Top Ten OWASP Podcast Series

[Jim Manico]

Hello SC-L,

We just released _*5 OWASP Podcasts*_ today in celebration of the 
release of the 2010 edition of the OWASP Top Ten! Big kudos to Dave 
Wichers and team for all of their hard working in making this release a 
success.


The Top Ten podcasts include:

Show 67: Jeff Williams on XSS Defense 
http://www.owasp.org/download/jmanico/owasp_podcast_67.mp3
Show 68: Kevin Keenan on Cryptographic Storage 
http://www.owasp.org/download/jmanico/owasp_podcast_68.mp3
Show 69: Eric Sheridan on CSRF Defense 
http://www.owasp.org/download/jmanico/owasp_podcast_69.mp3
Show 70: Michael Coates on TLS Configuration 
http://www.owasp.org/download/jmanico/owasp_podcast_70.mp3
Show 71: Robert Hansen on Insecure Redirects 
http://www.owasp.org/download/jmanico/owasp_podcast_71.mp3


PS: You can subscribe to our RSS feed here: 
http://www.owasp.org/download/jmanico/podcast.xml
..or do the same via iTunes 
http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
..or see our show list on the web 
http://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows


PPS: The OWASP Podcast Series is non-commercial podcast released under 
the Creative Commons/ShareAlike license.


PPPS: Did someone say "slow down" ? I missed that as I was running by... ;)

Thanks for listening!

--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___