tag:blogger.com,1999:blog-13756280.post7579255713363934709..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Drawing a line in the "Scan"Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13756280.post-81181712226936160822007-01-15T07:44:00.000-08:002007-01-15T07:44:00.000-08:00Thank alikl.
Basically the surveys said that abou...Thank alikl.<br /><br />Basically the surveys said that about 50% of pen-testers use commercial web application scanners. The ones that did viewed those products as performing about half the work and finised the rest by hand. The other half chose not to use them because they felt it was shorter to do the whole assessment by hand.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-50819116827964681742007-01-13T12:06:00.000-08:002007-01-13T12:06:00.000-08:00Jeremiah, love your postings.
I can recall your re...Jeremiah, love your postings.<br />I can recall your recent survey where respondents stated they almost do not use commercial or even open source scanners - every body use her own techniques. I do not think, actually i am sure, it is not one or another. MSDN has very nice walkthrough on how to conduct code inspection for security for .net code http://msdn2.microsoft.com/en-us/library/ms998364.aspx. Basicly it has few steps to go, one is preliminary scan which can be automated using mentioned tools (i use windows built in findstr which looks strings in compiled assemblies and source files as well)and then code reading drilling deeply into the logic flaws. So far it works for me.Anonymousnoreply@blogger.com