It can be scary to think about how little of the modern attack surface many tools cover. There is no one best tool for the job and on top of that some tools don't do a great job at anything. Often in the hands of general users the capabilities and limitations are not even thought of during testing. Point, click, done. The attack surface of modern web environments as well as their protection mechanisms have become increasingly complicated and yet many tools have not adapted. Hey, Y2K called and it wants some applications tested.
There is certainly no shortage of vulnerabilities in modern web environments but we should be looking beyond low hanging fruit at this point. In between fully automated scanners and manual testing lies a sweet spot for the identification of vulnerabilities. Some of the juiciest pieces of information are not found by vulnerability scanners but are found by humans creating custom tests. This is why semi-automated testing space is so important. All of this complicated blending of protection mechanisms, services, and RIA technologies means that moving in to the area of semi-automated testing can be fraught with failure. We detail how these failures can be avoided. We also provide a tool that begins to solve some of these problems as well as provides analysis for your own tools and scripts. Your web applications have moved on, don't you think it's time your tools to do the same?
Adrian is a CTO and Analyst at Securosis, bringing over 24 years of industry experience to the research team, much of it at the executive level. Adrian specializes in database security, data security, and software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, and regularly contributes to Dark Reading, Information Security Magazine and other security publications. Adrian is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.
Justin Engler is a Security Consultant for FishNet Security's Application Security practice. His focus is on the security of web applications, web-backed thick clients (desktop and mobile), databases, and industrial control systems. Justin is currently working on the open source RAFT project.
Seth Law is a Principal Consultant for FishNet Security in Application Security. He spends the majority of his time breaking web and mobile applications, but has been known to code when the need arises. Seth is currently involved in multiple open source projects, including RAFT.
Gregory is a Senior Security Consultant in the Application Security practice at FishNet Security. In his spare time, he likes to find and exploit vulnerabilities in web browsers and client-side technologies such as Java and Flash. He has an interest in privacy and anonymity and has worked with The Tor Project to identify potential issues.