http://crackingdrupal.com/taxonomy/term/30/0 en http://crackingdrupal.com/blog/greggles/application-security-beyond-scanner-monkey <p>Matt Fisher of <a href="http://www.piscis-security.com/">Piscis Security</a> gave a discussion about security beyond the "scanner monkey" phase. Scanner monkeys being people who run a scanner tool, get the output, and think they are done with a vulnerability assessment. There are more and more scanners - commercial, proprietary, and open source - and yet they are no longer good enough.</p> <ul> <li>The scanners only start the process, they don't end it.</li> <li>The person running the scanner is likely not talented enough to configure it properly.</li> </ul> <p>Perhaps the best quote from the presentation is "we don't fix cars by placing a screwdriver and wrench on the hood and hoping that things get fixed - we need talented people who use tools to fix things."</p> <p>So, utlimately this presentation suggested that scanners are a part of the solution and that ultimately we need:<br /> * Front end scanners, static code analysis<br /> * Interviews with the developers<br /> * Reviews with whomever manages the hardware/software of the application<br /> And on and on.</p> <p>It was clear what the takeaway was other than "you should work harder" which is certainly true, but not really motivating or useful to hear.</p> http://crackingdrupal.com/blog/greggles/application-security-beyond-scanner-monkey#comments penetration testing scanner monkey Fri, 13 Nov 2009 14:55:56 +0000 greggles 42 at http://crackingdrupal.com http://crackingdrupal.com/blog/greggles/using-watcher-make-pen-testing-more-efficient <p>The Watcher session was basically a sales pitch and demo for the <a href="http://websecuritytool.codeplex.com/">Watcher</a> tool, though it's a free tool so "sales pitch" is not exactly right. Watcher is an open source tool that sites inside of <a href="http://www.fiddlertool.com/">Fiddler</a> which is a web proxy useful for debugging web applications.</p> <p>The application is a windows only tool.</p> <p>So, I left the room and went to see Social Media Zombies next door. I'm sure Fiddler and Watcher is pretty awesome, but <a href="http://www.grendel-scan.com/">Grendel</a> is actually cross platform so it's much more interesting to me.</p> <p>Basically they create a bot and control it with twitter. Turns out, this was actually used for evil after it was initially launched. Further, it's possible to use Facebook, Wave, MySpace, etc. to run XSS and get access to your private data. Overall, quite an interesting presentation with more good resources at <a href="http://www.digininja.org/">Digi Ninja</a> and <a href="http://socialmediasecurity.com/">Social Media Security</a>.</p> http://crackingdrupal.com/blog/greggles/using-watcher-make-pen-testing-more-efficient#comments penetration testing social media watcher zombies Thu, 12 Nov 2009 19:47:11 +0000 greggles 40 at http://crackingdrupal.com