Watchfire Application Security Insider

If web application scanning tools are the power tools used for broad application assessment, then the more sophisticated penetration tester will extend and refine the results through the usage of finely tuned scalpels.  Myself?  I've always favored using Netcat, Paros and human intelligence.  This is not to say that there are not many other powerful tools available, but these happen to be my scalpels of choice.

Whenever I hear people saying that they wish there was an open source web application scanning tool available, similar to a Metasploit type tool but for the application, I'm genuinely puzzled.  I wish for something even more basic - a solid, mature open source framework from which to perform web application assessments.  I want a framework from which I can begin with an architectural risk analysis, and move forward, collecting and trending SDL artifacts - through to a platform from which I can proxy, build, fuzz and report on my assessment.  Am I missing something?

Or: how to avoid the Assembly Line Syndrome

Recently, I’ve heard several security experts talk about the efficiency of automated web application scanners. Specifically, they raise claims that automated scanners are only good for:

• "Low Hanging Fruits" vulnerabilities
  
• "Technical vulnerabilities"
  

They all say that automated scanners cannot handle the "logical vulnerabilities". I thought it might be a good time/place to explain the difference between the types of vulnerabilities, and to explain why I think that every healthy security review of an application, should always contain both automated and manual assessments.