May 28, 2007

Man Vs. Machine

Or: how to avoid the Assembly Line Syndrome

Recently, I’ve heard several security experts talk about the efficiency of automated web application scanners. Specifically, they raise claims that automated scanners are only good for:


  • "Low Hanging Fruits" vulnerabilities
  • "Technical vulnerabilities"

They all say that automated scanners cannot handle the "logical vulnerabilities". I thought it might be a good time/place to explain the difference between the types of vulnerabilities, and to explain why I think that every healthy security review of an application, should always contain both automated and manual assessments.

Continue reading "Man Vs. Machine" »

Posted by on May 28, 2007 in Web Application Scanners | | Comments (5) | TrackBack (0)

| |

May 27, 2007

There's a reason they call it the OWASP Top 10

During the time I have spent in the security industry, I have seen many hypes come and go (Gartner call it Hype Cycles).


Gartner's Hype Cycle Graph
Gartner's Hype Cycle Graph

Here are a few examples from our own field:

Frankly, I believe that each of the aforementioned topics deserves the market's attention, but not in the form of a hype.

Continue reading "There's a reason they call it the OWASP Top 10" »

Posted by on May 27, 2007 in Hypes | | Comments (0) | TrackBack (0)

| |

May 18, 2007

Threat Classification

or: How I Learned to Stop Worrying and Love Web Application Threat Classifications

While working on the WASC Threat Classification v2.0 project, I got to think about the subject of classifying web application threats once again… You see, I have been dealing with Web Application Security Threat Classification since I started working on AppScan, approximately 7 years ago. back then (the Sanctum days), things were a lot simpler, the threat classes that were used in the product and in presentations, were proprietary, and were invented mainly for educational and marketing purposes.

Continue reading "Threat Classification" »

Posted by on May 18, 2007 in Web Application Threat Classification | | Comments (0) | TrackBack (0)

| |

« Previous

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan