[WEB SECURITY] Automated Scanner vs. The OWASP Top Ten (white paper)

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

Hello,

The challenges of automated web application vulnerability scanning is  
a subject frequent debate. Specifically because most websites have  
vulnerabilities (a lot of them) and we need help finding them  
quickly. The point of contention revolves around what scanners are  
able to find, or not. Using the OWASP Top Ten as a foundation, I  
published a white paper describing in detail how scanners approach  
certain complex situations. There is some marketing-fu within the  
pages, but the majority of the is content rich. Enjoy!

"Automated Scanner vs. The OWASP Top Ten"
http://www.whitehatsec.com/home/assets/OWASPTop10ScannersF.pdf

"The OWASP Top Ten is a list of the most critical web application  
security flaws – a list also often used as a minimum standard for web  
application vulnerability assessment (VA) and compliance.  There is  
an ongoing industry dialog about the possibility of identifying the  
OWASP Top Ten in a purely automated fashion (scanning). People  
frequently ask what can and can’t be found using either white box or  
black box scanners. This is important because a single missed  
vulnerability, or more accurately exploited vulnerability, can cause  
an organization significant financial harm. Proper expectations must  
be set when it comes to the various vulnerability assessment solutions."


Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/



----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]