Michael Osipov wrote:
Mark Thomas wrote:
We do occasionally receive reports to the security team that provide
outputs from various security testing tools. In short, the output is
nearly always complete garbage. For example, on one occasion a handful
of XSS issues were reported all of which were invalid whilst valid XSS
issues (later reported by others) were completely missed.
Were you reported the name of the tools with which the garbage out has
been produced?
Yes we were, but I am not prepared to name the tools.
Getting off topic a little, where I think automated tools do have
something to offer is in the area of finding bugs. Checking for unused
variables etc often highlights (usually minor) bugs. Find bugs, PMD,
checkstyle, the stuff built in to Eclipse all have something to offer
in this area.
I am aware of all the tools you cited, but they don't do necessarily
security testing (e.g. checkstyle). Did you ever come across LAPSE [1]?
I have investigated some tools, maybe they are in your interest to some
extent. Check this article [2] on different tools, nikto [3], and Wfuzz
[4].
As I said, automated tools for finding general bugs can work. I haven't
(and wouldn't) used them to find security issues.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
