I am a novice in web application security field. I am asked to write a white paper on "Next Generation Vulnerability Scanner".
As per my understanding, the current assessment methods are as follows
1. Black box testing: - This is performed in the following ways
a. Automated vulnerability scanning
b. Manual Penetration testing
c. Manual vulnerability assessment
2. Gray box testing:- This is similar to Black box testing. In addition, the analyst use to have some information about the application (e.g. credentials, technology, architecture etc. )
3. White Box Testing:- Analyst use to have maximum information about the application. Analyst reviews the code base of the application.
Now the question I have are
1. Are the current methodologies sufficient for the current generation technologies or is there a gap, if there is, then what is it and has there been any work going on to fill it in?
2. Here I am assuming the current methodologies are sufficient for current generation web App. But question is, will these methodologies be able to assess the next generation web applications ( developed in technologies like SAP, Oracle, IBM or more advanced ones )? If no, then what approach is going to be followed for such web Apps?
I would really appreciate your effort in answering these questions.
Granted, this has little to do with Astaro, since the product does not do security assessment, but...
1. Are the current methodologies sufficient for the current generation technologies or is there a gap, if there is, then what is it and has there been any work going on to fill it in?
There is always a gap. Protection methodologies are reactive in nature. Both vendors and academia are constantly researching new means of protection, just as the the "bad guys" are always thinking of new ways to thwart these protections. The same holds tru for vulnerability assessments. How successful vulnerability testing is has everything to do with the skill set of the person or company performing the assessment. Many assessments done by general practitioner consultants use pre-canned tools. These tools only check for well known vulnerabilities by the simplest means possible and often provide many false positives.
current generation web App
next generation web applications
There is little to no difference between past, present, or future web apps. You have display code, some scripting or compiled language to perform actions, and possibly a database backend. The languages may change (asp, asp.net, php, html5, etc.), but they all function in the same way and do the same things. When you see something like Web 2.0....this is nothing but marketing hype.
will these methodologies be able to assess the next generation web applications ( developed in technologies like SAP, Oracle, IBM or more advanced ones )?
First I'd like to mention that the items mentioned are not technologies, they are vendors who utilize a vast number of different technologies to create their products. The pre-canned tools are constantly adding new vulnerabilities to look for and the rare few individuals who have the skills necessary to do indepth assessments are always learning to keep up with changes.
You may want to go back to the drawing board on the questions that you are asking. You appear to be seeking definitive black and white answers in a realm that is made up entirely by shades of gray.
__________________ ACE v8/SCA v9.3
...still have a v5 install disk in a box somewhere.
Quote