From: "Richie Taylor" To: Cc: "Richie Taylor" Date: Fri, 6 Aug 2004 10:05:56 -0700 Subject: Web Application Vulnerability Assessment Tools Message-ID: [-- Attachment #1 --] [-- Type: text/plain, Encoding: quoted-printable, Size: 2.4K --] Alex, I was forwarded your email from a co-worker. I work for Reasoning Inc, an application code inspection company in Mountain View CA. Reasoning www.reasoning.com provides a software defect detection service. We detect critical, crash-causing and data-corrupting defects like: Memory leaks Out-of-bounds array conditions Buffer Overflows NULL pointer dereferences When time permits, I'd like to discuss where in the process you are, with evaluating application vulnerability assessment tools? We help companies detect these critical defects earlier in the development cycle (before code is even executable), when they take less time and expense to address. I don't know if this is something that would be useful to you or not. Please let me know when you'd like to schedule a time to speak on the phone. I'd like to learn more about your software development organization and the issues you are currently trying to address to see if there might be a fit. Richie Taylor Reasoning Inc. 2440 W. El Camino Real Mountain View, CA 94040 http://www.reasoning.com/ 650.316.4343 - office 650.316.4433 - fax Reasoning Enters Security Arena with New Application-level Security Inspection Service Security Inspection Service Minimizes Existence of Major Root-cause Vulnerabilities Behind 70% of CERT Advisories http://www.reasoning.com/newsevents/pr/03_08_04.html "THE PERILS OF MODIFYING SOFTWARE" Study shows that modified code can increase defects three-fold http://www.esj.com/news/article.asp?EditorialsID=883 http://www.reasoning.com/newsevents/pr/03_08_04.html -----Original Message----- From: Alex Holst [mailto:a@mongers.org] Sent: Friday, August 06, 2004 8:12 AM To: SECPROG@SECURITYFOCUS.COM Subject: Re: Web Application Vulnerability Assessment Tools Quoting bsec@cotse.net (bsec@cotse.net): > Greetings list, > > I'm in the process of evaluating web application vulnerability > assessment > tools and was wondering if you would be willing to share advice with > me > regarding tools available and how they've worked in your experience. For casual use, I usually find that any decent webbrowser will do. When I have a need to systematically identify all sorts of vulnerabilities in an web application, I always reach for @stake's WebProxy. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.mongers.org [-- Attachment #2: ASI White Paper v2.3.pdf --] [-- Type: application/octet-stream, Encoding: base64, Size: 991K --] [-- application/octet-stream is unsupported (use 'v' to view this part) --]