70 likes | 322 Views
Grey Box Assessment Lessons Learned. May 10, 2007. Overview. Engagement Description Black Box Overview SPI Dynamics WebInspect White Box Overview Fortify SCA SPI Dynamics DevInspect Afterthoughts Questions. Engagement Description. eCommerce Website for F-1000 “Brick & Click”
E N D
Grey Box AssessmentLessons Learned May 10, 2007
Overview • Engagement Description • Black Box Overview • SPI Dynamics WebInspect • White Box Overview • Fortify SCA • SPI Dynamics DevInspect • Afterthoughts • Questions
Engagement Description • eCommerce Website for F-1000 “Brick & Click” • Grey Box Assessment • SCA • Black Box • Automated Tools • Hands On Testing • Network Assessment • Important but not in scope for this talk
Black BoxSPI Dynamics WebInspect Missed: Internal DMZ IP Stored in Cookie Logic Flaws Hard Coded Credentials Unreleased Resources
White Box Fortify SCA Missed: XSS in 3rd Party Components Internal DMZ IP Stored in Cookie Signup Issues Server Misconfiguration Logic Flaws No Surprise: Production and Development Code are Not Identical
White Box AutomatedSPI DevInspect • Not really SCA • Fault Injection • Identical results to WebInspect • “I Like SPI” but disappointed in DevInspect • Good for development environment but not a SCA Replacement
Afterthoughts • Grey box gave excellent coverage • Hands on is still critical • Testing environment matters • Automation is you friend • Corollary – understand your tools!