[Dailydave] Coverage and a recent paper by L. Suto

Adriel Desautels adriel at netragard.com
Sun Oct 28 21:44:38 EDT 2007 

Honestly I don't think that the testing tools matter as much as the
talent of their respective users. We've used a wide variety of tools and
they're pretty much all "trying" to do the same thing. Automation ==
time savings && identification of low hanging fruit (not to mention
false positives and false negatives). Automation != quality assessment
&& quality report, only talent can deliver that.

Regards,
	Adriel T. Desautels
	Chief Technology Officer
	Netragard, LLC.
	Office : 617-934-0269
	Mobile : 617-633-3821
	http://www.linkedin.com/pub/1/118/a45

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security


Dave Aitel wrote:
> http://ha.ckers.org/files/CoverageOfWebAppScanners.pdf
> 
> He compared NTOSpider/Appscan/Webinspect - and NTOSpider "won".
> 
> Without the full vulnerability reports and the VM's of the vulnerable
> apps, I'm not going to dwell on the comparison of tools, except to say
> it's interesting, but I will say that all this focus on "code
> coverage" is a bit strange. Vulnerabilities, like fish, tend to
> cluster in particular places. Having 10% code coverage is perfectly ok
> if it's the code that has the bugs. And you can't see race conditions
> with code coverage tools.
> 
> Also, most of the value of instrumentation is that when built into
> your attack tool you get a real-time human-usable view into the guts
> of the application. This is why I don't think byte-code
> instrumentation has huge advantages over just hooking Win32 API's. But
> I don't have a byte-code parser yet either. :>
> 
> Speaking of race conditions, I'm happy to announce that Immunity has
> += Paul Starzetz (http://marc.info/?a=107032640300001&r=1&w=2).
> 
> -dave
> 

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adriel.vcf
Type: text/x-vcard
Size: 298 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071028/a6a7a575/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071028/a6a7a575/attachment.pgp

More information about the Dailydave mailing list