On 04/20/2011 09:14 AM, davide sozzi wrote: > Hi, > > ok thanks but then this bring me to the next question: when a web > scanner company say: "we cover all top10 OWASP risks" are they lying > then (see Acunetix, Sandcat etc)? > > Thanks > > Davide >
Davide, It seems that you didn't read the first link I sent, so I'll send it again, along with the most applicable quote: "For our part, WhiteHat Security is in the website security business and provides a vulnerability management service. Our Sentinel Service incorporates expert analysis with proprietary scanning technology. Using a black box process, we assess hundreds of websites a month, more than anyone in the industry. What we’ve come to understand is that a significant portion of vulnerabilities are virtually impossible for scanners to find. By the same token, even the most seasoned Web security experts cannot find many issues in a reliable and consistent manner. To achieve full vulnerability coverage and therefore complete vulnerability management, we must rely on a combination and integration of both methods." https://www.whitehatsec.com/home/assets/WPOWASPtopten1109.pdf Yes, any scanner who tells you "we cover all top10 OWASP risks" is flat out, bold faced lying. I'll point to the WASC scanner evaluation criteria project also, which is a good guide to the things you need to think about when choosing a scanner, and how to evaluate them to know their limitations: http://projects.webappsec.org/w/page/13246986/Web-Application-Security-Scanner-Evaluation-Criteria Appendix A on how to conduct a scanner evaluation should be particularly useful to you. IMHO, the Top Ten is the worst document OWASP makes, particularly for your confusion. Check out the Testing Guide and the ASVS for more insight in what applicaion security testing should look like. In fairness, if you read the first few pages of the OWASP Top Ten PDF guide itself, it does give good guidance that the Top Ten doesn't mean anything and points you to their other, better resources. As an aside, I don't like the top ten much anyway, and when we write reports for our clients, we code findings with the much more descriptive WASC threat classification. http://projects.webappsec.org/w/page/13246978/Threat-Classification You can see how they compare here: http://projects.webappsec.org/w/page/13246975/Threat-Classification-Taxonomy-Cross-Reference-View -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB |
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
