[Owasp-boston] OWASP Boston - some questions for tonight
Jim.Weiler at starwoodhotels.com
Mon Jul 25 12:42:06 EDT 2011
I know you might not get this before the meeting but if not, I'll ask at
the meeting -
1. Do scanners that use instrumented web browsers as their main
technology have fewer false positives or more accurate response behavior
compared to scanners that emulate browsers?
2. What are the algorithms used to determine that a SQL injection
vulnerability exists? Do any scanners provide confidence levels in their
3. What features allow a scanner to be more easily used as a
penetration test tool, beside recording user actions for replay?
4. With software threat modeling, do you start from the 'inside
out', i.e. where's the data to protect and how could the controls
closest to the data be compromised, or do you start 'outside in', with
the threat agent from the internet and follow how they could get into a
web app from the outside? Is this even a useful question?
See you tonight,
Jim Weiler CISSP CSSLP GSSP - Java
Sr. Mgr. Information Security Risk Assessment
Starwood Hotels 1505 Washington St. Braintree MA. 02184
desk - 781 356 0067
mobile - 7816546048
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-boston