OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Dailydave] bugs are bad.

From: John Lampe (jwlampenessus.org)
Date: Mon Jul 31 2006 - 13:52:43 CDT

Matthew Franz wrote:

>
> The other I'd like to see in commercial products is mining information
> from server configuration and feeding that into a scanner. For example
> on J2EE apps you've got a wealth of info sprinkled across dozens of
> XML config files. Struts-based apps also have juicy stuff about forms,
> variables, types, and validation mechanisms that could drive specific
> tests, much of it which will be in the .war
>
> I assume there is comparable stuff on the Microsoft platform...
>

There is comparable stuff on MS platforms. Parsing the source code,
.config files, the registry (if they are doing it right), DISCO, UDDI,
etc. etc. yields interesting stuff. And, there are tools which automate
  some of the local code auditing (FxCop, SSW Code auditor, etc.)...

It would seem that a better methodology for app pen-testing would be to
do the code audit and pen-test in conjunction. The code audit gives you
the attack vectors that *should* work, and the pen-test becomes nothing
more than a validation for the code audit.

Lots of pen-testers won't like this as it requires skill in actually
reading code...That's why you hear them say stuff like "We need to
emulate the actual Hacker attack" and similar rubbish. Why use a
black-box approach when you can read and analyze the application? Isn't
that just common sense?

--
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com

Is your network TENABLE?
---------------------------------------
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave