Penetration Testing
OWASP Top 10 penetration testing software? Feb 28 2012 07:35PM
webcat (matthew mckinzie lewin com) (7 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 09:40PM
Nathalie Vaiser (nvaiser gmail com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:50PM
David Mirza (dma subgraph com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:44PM
psiinon (psiinon gmail com) (1 replies)
Hi,

You should be careful with scanners that claim to test "the OWASP Top Ten".
For example, "Insecure Cryptographic Storage" is one of the OWASP Top
Ten but this is typically only detectable server side, so no web app
scanner will find it :)
And Insecure Direct Object references are tricky to find in an
automated way, but relatively easy for an experienced security tester
to find.

Automated tools will only be able to find a subset of the top ten, and
all of the other potential vulnerabilities (eg application level
issues).
Dont believe anyone who tells you otherwise :)

The OWASP Zed Attack Proxy (ZAP) will find some of the top ten
'automatically', but works best if driven by someone whos looking for
issues and knows what to look for.
Its a good tool to help you learn how to find issues, but wont do it
all for you.
No tool will!

Psiinon (ZAP Project Lead)

On Tue, Feb 28, 2012 at 7:35 PM, webcat <matthew.mckinzie (at) lewin (dot) com [email concealed]> wrote:
>
>
> Hi, for one of my websites, I have been required to use a web application
> scanner that tests against the OWASP Top Ten threats. I'm looking for a
> scanner that does this that is inexpensive or free.
>
> Possible scanners I've found for this include the OWASP Zed Attach Proxy
> Project, Sonar, and w3af, but none of these explicitly tests against the
> OWASP Top Ten threats (at least not that I can tell).
>
> Does anyone know of a scanner that does test against the OWASP Top Ten
> threats? Thank you!
> --
> View this message in context: http://old.nabble.com/OWASP-Top-10-penetration-testing-software--tp33409
197p33409197.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>

--
OWASP ZAP: Toolsmith Tool of the Year 2011

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
Re: OWASP Top 10 penetration testing software? Mar 05 2012 11:00AM
Zaki Akhmad (zakiakhmad gmail com) (1 replies)
Re: OWASP Top 10 penetration testing software? Mar 05 2012 11:17AM
psiinon (psiinon gmail com) (1 replies)
RE: OWASP Top 10 penetration testing software? Mar 05 2012 05:46PM
Adam Behnke (adam infosecinstitute com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:33PM
Tim Gonzales (tim gonzales gmail com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:15PM
martin mngoma gmail com (1 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:44PM
Robert Wood (robertwood50 gmail com) (1 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:53PM
martin mngoma gmail com
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:09PM
Michele Orru (antisnatchor gmail com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:07PM
M. Hani Benhailes (kroosec gmail com) (1 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:32PM
webcat (matthew mckinzie lewin com)


 

Privacy Statement
Copyright 2010, SecurityFocus