Validating assessment tools

With tools such as Nessus and Qualys Guard, you'll be able to root out problems such as missing patches and misconfigurations in your operating system and other software you have installed (including the Web server itself) that can lead to a Web application compromise.

If you want to get the entire picture, you should also look at your back-end databases and related network infrastructure systems.

For others, you may need the power of a Web proxy tool or HTTP editor, such as the free Paros proxy tool or the tools bundled with many commercial scanners. If you can, take a screenshot of your findings and stick it in your report.

validating assessment tools-38validating assessment tools-47validating assessment tools-74

This is where your human context and Web usage expertise come into play.

Get in and poke around in the application a bit more to see what else can be done from a malicious point of view.

Verifying your results simply requires going back to your original scanner data or exported reports and seeing if you can reproduce the problems the tools found.

For certain issues, you may need only a simple Web browser for validation.

I can't tell you how many times I've found flaws in login mechanisms, form input validation and sensitive information buried in HTML and server directories that automated tools would never uncover.

Test your source code Until you look at your Web application's source code, you won't be able to say with conviction that everything's been tested.

I've found out the hard way that, by and large, high-end equals high quality.

Good tools translate into more (and more complex) security flaws discovered, as well as less time and effort wasted trying to track them down.

When I can I use both tools, because they tend to find different things that I don't want to overlook. (There's more on this below.) Look at your application from every perspective Perform a reconnaissance on your Web application and see what the world can see using Google and its hacking tools such as Foundstone's Site Digger.

Odds are you won't find a lot of stuff, but you'll never know until you check.

Here's an essential elements checklist to help you get the most out of your Web application security testing.