[Owasp-boston] 2 Questions about Jim's Presentation last week

Scott Matsumoto smatsumoto at cigital.com
Mon Nov 23 16:53:12 EST 2009


One of guys at Cigital is organizing it with help from the feds and tool vendors.  A draft is due out after the first of the year.

________________________________
From: james at architectbook.com [james at architectbook.com]
Sent: Monday, November 23, 2009 4:00 PM
To: Scott Matsumoto
Cc: owasp-boston at lists.owasp.org
Subject: RE: [Owasp-boston] 2 Questions about Jim's Presentation last week

Do you have a URL that describes SAFES in more detail?

-------- Original Message --------
Subject: RE: [Owasp-boston] 2 Questions about Jim's Presentation last
week
From: Scott Matsumoto <smatsumoto at cigital.com>
Date: Mon, November 23, 2009 3:57 pm
To: "james at architectbook.com" <james at architectbook.com>
Cc: "owasp-boston at lists.owasp.org" <owasp-boston at lists.owasp.org>

I don't know the fate of O2, so I cannot comment on it.

SAFES is an emerging standard to standardize tool findings, so, there's value in standardizing them. I think it's very early for SAFES.

________________________________
From: james at architectbook.com [james at architectbook.com]
Sent: Monday, November 23, 2009 3:45 PM
To: Scott Matsumoto
Cc: owasp-boston at lists.owasp.org
Subject: RE: [Owasp-boston] 2 Questions about Jim's Presentation last week

OWASP Board member Dinis Cruz frequently discusses the O2 Platform. I am curious if anyone knows whether IBM will step up and rally behind it or let it die on the grapevine? Also would love to know if there is merit in having Appscan, WebInspect and other dynamic analysis tools emit a findings file in a standard format.

-------- Original Message --------
Subject: Re: [Owasp-boston] 2 Questions about Jim's Presentation last
week
From: Scott Matsumoto <smatsumoto at cigital.com>
Date: Mon, November 23, 2009 9:59 am
To: "Laverty, Patrick" <Patrick_Laverty at brown.edu>,
"owasp-boston at lists.owasp.org" <owasp-boston at lists.owasp.org>

Patrick,

In terms of your first question, I can answer from our experience doing assessments that mix manual and tools for both static and dynamic analysis that those percentages are roughly right. I don't have quantitative numbers to back up that claim since our analysis isn't based solely on raw numbers.

In terms of employing multiple scanners, we use both AppScan and HP (SPI) and I don't see enough difference in coverage to run both. I think that using different tools that are looking for different types of problems or using a mix of static and dynamic tools provides enough of a win to justify the extra cost (both dollar and human).

Using this mix of static and dynamic as well as manual and tool-based techniques is exactly what we do. In the end, however, I find the vulnerabilities that have the highest business-related impact are those that we find manually. I think it's because many of the defects that the tools miss involve information disclosure and the tools don't have enough intelligence to distinguish what data one is should or should not see.

________________________________
From: owasp-boston-bounces at lists.owasp.org [owasp-boston-bounces at lists.owasp.org] On Behalf Of Laverty, Patrick [Patrick_Laverty at brown.edu]
Sent: Monday, November 23, 2009 8:34 AM
To: owasp-boston at lists.owasp.org
Subject: [Owasp-boston] 2 Questions about Jim's Presentation last week

And they’re both about the same statement.

Jim stated that the scanners will “Only going to find 10 – 20% of vulns – low hanging fruit”

My two questions are:

1. How do we know that they will only find that number? If we know they’re missing 80-90%, how did we find them to count those that were missing?

2. I’ve read that the most effective and thorough scanning is to get 4-5 different scanners and use them all, as they will find some different vulnerabilities. Has anyone done this? What did you find when you look at all the data from multiple scanners and how varied are they at finding different true positive results?

Thank you!

Patrick



_______________________________________________
Owasp-boston mailing list
Owasp-boston at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-boston


More information about the Owasp-boston mailing list