-----BEGIN PGP SIGNED MESSAGE-----
One question... have you ever tried Watchfire's Appscan? If so,
could be better between Appscan and Webinspect?
Juan Carlos Reyes Muñoz
GIAC Certified Forensic Analyst - SANS Institute
Consultor de Seguridad Informática
Cel. (57) 311 513 9280
1900 N.W. 97th Avenue
Suite No. 722-1971
Miami, FL 33172
Las opiniones expresadas en esta comunicación son enteramente
igual manera, esta comunicación y todos sus datos adjuntos son
confidenciales y exclusivamente para el destinatario. Si por algún
motivorecibe esta comunicación y usted NO es el destinatario,
respondiendo a este correo y por favor destruya cualquier copia
del mismo y
de los datos adjuntos. Por favor tambien trate de olvidar
cualquier cosa que
haya leido en esta comunicación, excepto en esta parte. Está prohibido
cualquier uso inadecuado de esta información, así como la
copias de este mensaje. Gracias.
The contents and thoughts included in this e-mail are completely
personal.This e-mail message and any attachments are confidential
and may be
privileged. If you are not the intended recipient, please notify me
immediately by replying to this message and please destroy all
this message and attachments. Please also try to forget everything
read that was contained in this E-Mail message, except this part.
Misuse,copying and redistribution of this e-mail are forbidden.
De: Brokken, Allen P. [BrokkenA () missouri edu]
Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m.
Para: Glyn Geoghegan; goenw
CC: pen-test () securityfocus com; Webappsec
Asunto: RE: Application Assessment
I am a Security Analyst for the University of Missouri -
I came from a systems administration background, and in the past
have been tasked with application security as just part of a greater
Information Systems Auditing program.
I personally have used
SpikeProxy from www.insecure.org
Paros, mentioned by others
and evaluated a handful of other Proxy/Automated Attack Methods.
However, the best tool I've seen and the one we finally
WebInspect from SPI Dynamics
I did some independent test between SpikeProxy and WebInspect on
the a few
different applications. With SpikeProxy it took basically 1
to run the tool, and verify false positives, look up good
the vulnerabilities and write the report. The same application with
WebInspect took approximately 15 minutes of my time to
generate the final report while taking about 2 hours to actually run
without my intervention. It typically found 20% more
I could find by the more manual method with SpikeProxy, and produced
extensive reports that not only explained the vulnerabilities,
code references the developers could use to fix their problem.
Those were results I got prior to training. I got some
with the tool and on web application testing in general at
http://www.securityps.com. They are a Professional Application
Security> auditing company and they use this as their core tool
because of both the
accuracy of the tool and the responsiveness of the company. In the
training I got to learn how to effectively use the a whole suite
including a Web Brute force attacker, SQL Injector, Proxy,
Decoders, and Web Service assessment tools to name a few.
The tool is a little pricey, but I work with litterally dozens
departments and have evaluated LAMP, JAVA/ORACLE, ASP.NET/SQL
even VBScript/Access systems with the WebInspect Suite of tools.
comment I get from the developers is how helpful the report was in
correcting their code. For that broad spectrum of coding
couldn't possibly provide code level help to the developers
We've been using it now for almost a year and the responsiveness
Sales and Technial staff has been extreme. I haven't had a
that wasn't resolved in less than 24 hours. I've also gotten a
support from their sales staff regarding application security
awareness> for our campus developers in general.
One last thing to mention is the updates. I have never seen a
is so consistently updated. I have run 2 or 3 assessments in
the same day
and had updates for new vulnerabilities made available each time
I ran the
tool. If a week goes by without using it there can be
litterally 100's of
new signatures it needs to add to the list.
If you have more questions and want to talk offline I'd be happy
Systems Security Analyst - Principal
Univeristy of Missouri
brokkena () missouri edu
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)
Comment: Mensaje Seguro, Enviado por Juan Carlos Reyes M.
-----END PGP SIGNATURE-----