1 / 7

Grey Box Assessment Lessons Learned

Grey Box Assessment Lessons Learned. May 10, 2007. Overview. Engagement Description Black Box Overview SPI Dynamics WebInspect White Box Overview Fortify SCA SPI Dynamics DevInspect Afterthoughts Questions. Engagement Description. eCommerce Website for F-1000 “Brick & Click”

esme
Download Presentation

Grey Box Assessment Lessons Learned

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grey Box AssessmentLessons Learned May 10, 2007

  2. Overview • Engagement Description • Black Box Overview • SPI Dynamics WebInspect • White Box Overview • Fortify SCA • SPI Dynamics DevInspect • Afterthoughts • Questions

  3. Engagement Description • eCommerce Website for F-1000 “Brick & Click” • Grey Box Assessment • SCA • Black Box • Automated Tools • Hands On Testing • Network Assessment • Important but not in scope for this talk

  4. Black BoxSPI Dynamics WebInspect Missed: Internal DMZ IP Stored in Cookie Logic Flaws Hard Coded Credentials Unreleased Resources

  5. White Box Fortify SCA Missed: XSS in 3rd Party Components Internal DMZ IP Stored in Cookie Signup Issues Server Misconfiguration Logic Flaws No Surprise: Production and Development Code are Not Identical

  6. White Box AutomatedSPI DevInspect • Not really SCA • Fault Injection • Identical results to WebInspect • “I Like SPI” but disappointed in DevInspect • Good for development environment but not a SCA Replacement

  7. Afterthoughts • Grey box gave excellent coverage • Hands on is still critical • Testing environment matters • Automation is you friend • Corollary – understand your tools!

More Related