Page 1 of 1
Any experiences with security scanning software?
Posted: Thu Sep 07, 2006 7:14 am
by matthijs
Do people have experience with automatic security check software like
https://chorizo-scanner.com/?
I'd personally prefer to code bullet-proof and not rely on other tools, but I saw this today and I wondered whether people have used software like this.
Posted: Thu Sep 07, 2006 7:45 am
by Mordred
You worked hard developing your PHP based web (2.0) application. Now it's time to make it secure.
Wrong.
Now is too late to make it secure. And adding their patches will clutter your code and frankly - what guarantee do you have that they did it right? Actually, what guarantee you have that they caught all vulnerabilities? And what about huge enourmous holes due to bad software design? What about CPU/memory hogs that look allright to the scanner untill a week later a script kiddie cranks the CPU load of your server and your hosting kicks you out
0. Know thy vulnerabilties
1. Make secure design
2. Write secure code
3. Rinse, repeat.
That's the right recipe.
Still, I haven't tried the product, this is just an impression from their site/video.
By all means use whatever software to test your app - but don't think it will make it more secure.
Posted: Thu Sep 07, 2006 8:47 am
by matthijs
Well, I'm not planning at using that specific software. Funny that that first sentence caught your attention (in a negative way) too.
But it is a fact that machines (or software) can be a bit more accurate then humans in certain situations. Especially when it comes to repetitive tasks. I wouldn't know how such a "security scanner" would or could work, but I could imagine that certain tools might possibly be usefull in some situations.
Take for example link-checking on a website (not security related, but a good example). I use a little program for that. Because I can click around what I want, if a site gets larger then 20-30 pages chances are I will miss a broken link somewhere. The script will help me find that one in seconds.
Posted: Wed Sep 27, 2006 6:42 pm
by blinton25
Hi,
Tools that I have looked at are:
http://www.syhunt.com (Collapse and SandCat)
http://www.nessus.org/
http://www.spidynamics.com
http://www.hackerguardian.com/
http://www.acunetix.com/
http://www.nstalker.com/products/free/d ... ee-edition
My general findings was that the products tell you about server configuration issues, rather than application (php/asp.net for me) problems. If the application is a known one (e.g a phpbb, oscommerce) then they can tell you about the issues which they know about. However, for custom applications, they don't seem to be able to pick up issues (or they tell you that you have Xss issues, and pay for a full report).
However, such tools can have a role in relation to audits, I don't think someone who has bought software or paid to have software developed has the time/skills to check through thousands of lines of codes to determine what security issues may be present. A good tool should be able to identify such issues so you can tell your developer to fix the problems.
Posted: Thu Sep 28, 2006 5:38 am
by Maugrim_The_Reaper
Although I wouldn't rely on such a tool to a huge extent - a real person is a million times more inventive than a application - it's useful in a risk management role. Scanning tools are reasonably popular as audit tools - if you can't agonise over every scrap of code continously, a scanner check at least provides some level of comfort. Consider it an additional-end or an earlier preliminary check - you code securely, have your unit tests in place, have audited broadly, then run the scanner as an additional comfort check - or use it frequently to catch missed issues. Nothing wrong with that. Chorizo is a bit more interesting than the current run of the mill scanner since it integrates with a PHP extension Morcilla to hook into PHP function usage.
Their frontpage quote is unfortunate - but there's marketing for you...

Posted: Sat Oct 14, 2006 8:04 pm
by Stevenr
http://www.insecuremagazine.com/INSECURE-Mag-8.pdf
"Review: Acunetix Web Vulnerability Scanner 4.0"
But it is these tools and even static code analysis show false positives and don't find every hole.