[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200506131726.j5DHQEMq011629@turing-police.cc.vt.edu>
Date: Mon Jun 13 18:26:21 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Web application Security Scanner
On Mon, 13 Jun 2005 21:10:19 +0400, tgoogle said:
> I need BEST program, which can found Maximum bugs in any custom Web application.
I doubt you'll fine one "best" program, as there's too much diversity.
There's probably someplace running CGI written in COBOL.
And somebody probably has a scanner for COBOL CGIs.
But you'll never find that scanner in one of the "big name" packages, because
trying to scan for *everything* is just too difficult - it's a lot easier to
create a package that does one class of things well (find 90% of injections,
80% of buffer overflows, etc).
If you're lucky, you'll find a set of 3 or 4 tools, which when used together, will
do 95% of the heavy lifting for you.
And remember that although programmatic scanners may be able to do a reasonable
job against certain classes of well-understood bugs (integer overflow, buffer
overflow, SQL injection, etc), they can't find errors caused by a programmer
being creatively stupid (as opposed to just not thinking).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050613/79c0566f/attachment.bin
Powered by blists - more mailing lists