This is Danny Allan's Typepad Profile.
Join Typepad and start following Danny Allan's activity
Danny Allan
Recent Activity
dre,
Thanks for your comments. I actually agree with many of the points that your raise. For example, you mention that developers have been left out of the picture. I agree. In fact, my own thought is that this is part of the problem and has brought us to the (in)security that we have today. We've been so focused on this security issues and communicating in terms of really technical exploits, that we have failed to address the causes to the problem and helping to actually "do" something about it. However, my post here was not from the perspective of solving the problem or helping developers, but from a very different perspective - that of audit and penetration.
This is why I actually use the Metasploit example, rather than the Nessus example. As an auditor, some of the value which I bring is around context. Using DREAD, this might fall in the exploitability and damage categories. These are risk measurements which are best left to a human who can understand context. While Nessus might do a scanning vulnerability assessment, Metasploit gives me an exploitation engine. You're correct in pointing out that AttackAPI is very close to this.
Looking at this from an audit perspective, I still have these frustrations. If you were to look at my toolbox, for every commercial tool I use, I have at least 15-20 free or open source tools. I like these tools. I use them daily. I don't mean to belittle the open source industry. Percentage-of-time-wise, I spend more time using open source tools, than commercial tools. The commercial tools for me are generally for scale and the broad brush stroke approach, and it's why the manual local proxies (as you point out) are still needed. My frustration with open source tools is that I have so many of them. Again, "I would like a single mature product where I can both collect my artifacts (predictive threat index, architectural risk analysis, threat modeling, etc) and where I can exercise my scalpels of choice (network requests, proxy tools, fuzzers, statistical analysis, etc)."
Perhaps I didn't explain this well enough. I think it's valuable to be able to tie together a security requirement from the requirements phase, with an actual exploitation test as part of my audit, to a report. Currently, doing this simple step requires a handful of powerful, independent tools. And, even then, I'm forced to manually tie all this together for the final report.
I don't want to say that the open source community can not produce a web application scan and audit tool. (Consider something as simple as a JavaScript based crawler like CSpider [ http://devedge-temp.mozilla.org/toolbox/examples/2003/CSpider/index_en.html ].) I'm just saying that when I hear people ask for this in the open source community, I take a more humble approach and wish that I had a better platform from which to perform my audit. I know from experience that building a) a really good crawler with session management and b) building a set of tests that fits a broad market, takes a lot of time and resources. As an auditor, I would much rather see the current proxy tools we have be enhanced into a platform that takes me from security requirements to audit (exploitation) to report.
My Wish for Open Source Web Application Security Tools
If web application scanning tools are the power tools used for broad application assessment, then the more sophisticated penetration tester will extend and refine the results through the usage of finely tuned scalpels. Myself? I've always favored using Netcat, Paros and human intelligence. Th...
Subscribe to Danny Allan’s Recent Activity