[Owasp-boston] OWASP Boston - some questions for tonight

Mon Jul 25 12:42:06 EDT 2011

Hi Anurag,

I know you might not get this before the meeting but if not, I'll ask at
the meeting -  

1.       Do scanners that use instrumented web browsers as their main
technology have fewer false positives or more accurate response behavior
compared to scanners that emulate browsers? 

2.       What are the algorithms used to determine that a SQL injection
vulnerability exists? Do any scanners provide confidence levels in their
findings?

3.       What features allow a scanner to be more easily used as a
penetration test tool, beside recording user actions for replay?

4.       With software threat modeling, do you start from the 'inside
out', i.e. where's the data to protect and how could the controls
closest to the data be compromised, or do you start 'outside in', with
the threat agent from the internet and follow how they could get into a
web app from the outside? Is this even a useful question?

See you tonight,

Jim

Jim Weiler       CISSP   CSSLP   GSSP - Java

Sr. Mgr.  Information Security Risk Assessment

Starwood Hotels      1505 Washington St.   Braintree MA. 02184

desk - 781 356 0067

mobile - 7816546048

This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. 
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be 
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received 
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20110725/3a0464b4/attachment.html 