[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Links for tutorials on false positives

From: Matt Tesauro <matt.tesauro@xxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Links for tutorials on false positives
Date: Mon, 02 Nov 2009 11:38:10 -0600

I'm assuming that by 'scan' you mean an automatic dynamic scanner like
WebInspect, AppScan, w3af or similar.

To validate those findings, you will need to manually reproduce the
issues reported by those scanners.  Generally those fall into two
categories:
(1) Infrastructure-type findings (e.g. server configuration)
(2) Application-type findings (e.g. validation failures in the app)

For (1) issues, there are tools that focus in this arena such as Nessus,
OpenVAS, Nikto, QualysGuard ...
http://sectools.org/vuln-scanners.html

For (2) issues, this is generally done with a browser and some sort of
intercepting local proxy such as Web Scarab, Burp, ...

If you need a reference on how to conduct those tests, I'd recommend
OWASP's Testing Guide which is free (Creative Commons) and available
online, in .doc/.pdf and on-demand printing. Version 3 is the latest and
is a 349 page book which breaks 66 controls into 9 categories:
http://www.owasp.org/index.php/Category:OWASP_Testing_Project

Most issues under (1) above are in the Configuration Management section:
http://www.owasp.org/index.php/Testing_for_configuration_management
and the rest of the guide should cover (2):
http://www.owasp.org/index.php/Web_Application_Penetration_Testing

False negatives are very tricky as its hard to validate the existence of
something you don't know about.  You could try using other scanners
under the assumption that gaps will exist between what scanner X and
scanner Y finds.  Ideally, a manual application pen test by a skilled
application security professional would be conducted and should provide
much more data then an automatic scan.

HTH.

-- 
-- Matt Tesauro
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On Mon, 2009-11-02 at 14:57 +0530, sutapa dey wrote:
> Hi Security Gurus,
> 
> I need your guidance in finding certain (if exists) links/tutorials on
> "how to validate security scan findings for false
> positives/negatives".
> 
> I tried to google out the links but am not very successful.If you have
> come across any articles/podcasts/links please share with me.
> 
> Thanks and Regards,
> Sutapa
> 
> 
> 
> ______________________________________________________________________
> Try the new Yahoo! India Homepage. Click here.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] Links for tutorials on false positives
  - From: sutapa dey

Prev by Date: [WEB SECURITY] Links for tutorials on false positives
Next by Date: [WEB SECURITY] method to bypass mod_security
Previous by thread: [WEB SECURITY] Links for tutorials on false positives
Next by thread: Re: [WEB SECURITY] Links for tutorials on false positives
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site