Good answer from Chris Frazier, although I wouldn't personally recommend the CEH. I'm just looking for legal and legitimate sources. Is there a legitimate, trusted place where such tools can be downloaded or purchased for such white-hat purposes? I'm perfectly willing to try to get upper management to pay for membership in white hat groups that might provide these tools, and even better, training, so I'm not necessarily looking for free. Even if I did know where to look, our network Admins would never allow us to get those tools from an untrusted source. (Why should the bad guys have all the good tools?) But I'm not willing to go to the "shady" sites or newsgroups do download the tools. I'd love to be able to use the same tools to test our own web sited in our test, then staging, then production environment. I'm aware of tools like Havij that are used by cybercriminals, and I'm aware of how easy they make attacking sites with vulnerabilities for even non-technical people. (It's a lot cheaper to fix holes early on than later on in the project.) I'd really like for our team to perform them throughout the entire development process. Also, the penetration tests are costly, and can only be done every so often. However, I'm not confident that our penetration testing tools are adequate. We already do threat modeling throughout the project, as well as code reviews on all code changes going into production.Īlso, as a part of our release process, we have penetration tests ran against our sites in our staging environment before releasing to live, and also in live once it's released. I'd like to add some additional testing to our process to scan for vulnerabilities throughout the development process. I understand how to code to protect against the OWASP Top 10, as well as other vulnerabilities, but I know enough to know that I don't know enough. My primary focus is ensuring that I'm not introducing security holes through bad programming.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |