Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: RE: Application Assessment
From: Kyle Starkey <kstarkey () siegeworks com>
Date: Fri, 12 Aug 2005 13:39:11 -0600

I would suggest against the appscan product unless you want to use their developers addition for pre compiled code... There has been very litle r&d time/dollars being allocated to this product in the past 24 months and as such it has lagged behind in functionaliy by comparison to the webinspect product.. If you only have budget for one tool I would suggest webinspect over the others...


On Fri, 12 Aug 2005 1:32 pm, RUI PEREIRA - WCG wrote:
Juan,

Approx 1 year ago we did an evaluation between Appscan, Kavado, WebInspect and AppDetective. We chose WebInspect for the range of vulnerabilities tested for, the granularity of test selection, the flexibility of use, etc. Contact me offline if you want more detail on our selection process.

Thank You

Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA
Principal Consultant

WaveFront Consulting Group
Certified Information Systems Security Professionals

wavefront1 () shaw ca | 1 (604) 961-0701


----- Original Message -----
From: Juan Carlos Reyes Muñoz <jcreyes () etb net co>
Date: Friday, August 12, 2005 8:26 am
Subject: RE: Application Assessment

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 Allen,

 One question... have you ever tried Watchfire's Appscan? If so,
 which tool
 could be better between Appscan and Webinspect?

 Juan Carlos Reyes Muñoz

 GIAC Certified Forensic Analyst - SANS Institute
 Consultor de Seguridad Informática

 Cel. (57) 311 513 9280

 Miami Mailbox
 1900 N.W. 97th Avenue
 Suite No. 722-1971
 Miami, FL 33172

 Las opiniones expresadas en esta comunicación son enteramente
 personales. De
 igual manera, esta comunicación y todos sus datos adjuntos son
 confidenciales y exclusivamente para el destinatario. Si por algún
 motivorecibe esta comunicación y usted NO es el destinatario,
 hágamelo saber
 respondiendo a este correo y por favor destruya cualquier copia
 del mismo y
 de los datos adjuntos. Por favor tambien trate de olvidar
 cualquier cosa que
 haya leido en esta comunicación, excepto en esta parte. Está prohibido
 cualquier uso inadecuado de esta información, así como la
 generación de
 copias de este mensaje. Gracias.

 The contents and thoughts included in this e-mail are completely
 personal.This e-mail message and any attachments are confidential
 and may be
 privileged. If you are not the intended recipient, please notify me
 immediately by replying to this message and please destroy all
 copies of
 this message and attachments. Please also try to forget everything
 you have
 read that was contained in this E-Mail message, except this part.
 Misuse,copying and redistribution of this e-mail are forbidden.
 Thank you.

 > -----Mensaje original-----
 > De: Brokken, Allen P. [BrokkenA () missouri edu]
 > Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m.
 > Para: Glyn Geoghegan; goenw
 > CC: pen-test () securityfocus com; Webappsec
 > Asunto: RE: Application Assessment
 >
 > I am a Security Analyst for the University of Missouri -
 Columbia Campus.
 > I came from a systems administration background, and in the past
 18 months
 > have been tasked with application security as just part of a greater
 > Information Systems Auditing program.
 >
 > I personally have used
 >
 > SpikeProxy from www.insecure.org
 > Paros, mentioned by others
 > and evaluated a handful of other Proxy/Automated Attack Methods.
 >
 > However, the best tool I've seen and the one we finally
 purchased is
 > WebInspect from SPI Dynamics
 > http://www.spidynamics.com
 >
 > I did some independent test between SpikeProxy and WebInspect on
 the a few
 > different applications.  With SpikeProxy it took basically 1
 working day
 > to run the tool, and verify false positives, look up good
 references for
 > the vulnerabilities and write the report.  The same application with
 > WebInspect took approximately 15 minutes of my time to
 configure, and
 > generate the final report while taking about 2 hours to actually run
 > without my intervention.  It typically found 20% more
 vulnerabilities than
 > I could find by the more manual method with SpikeProxy, and produced
 > extensive reports that not only explained the vulnerabilities,
 but gave
 > code references the developers could use to fix their problem.
 >
 > Those were results I got prior to training.  I got some
 extensive training
 > with the tool and on web application testing in general at
 Security-PS
 > http://www.securityps.com.  They are a Professional Application
 Security> auditing company and they use this as their core tool
 because of both the
 > accuracy of the tool and the responsiveness of the company.  In the
 > training I got to learn how to effectively use the a whole suite
 of tools
 > including a Web Brute force attacker, SQL Injector, Proxy,
 Encoders /
 > Decoders, and Web Service assessment tools to name a few.
 >
 > The tool is a little pricey, but I work with litterally dozens
 of campus
 > departments and have evaluated LAMP, JAVA/ORACLE, ASP.NET/SQL
 Server and
 > even VBScript/Access systems with the WebInspect Suite of tools.
 The #1
 > comment I get from the developers is how helpful the report was in
 > correcting their code. For that broad spectrum of coding
 enviroments I
 > couldn't possibly provide code level help to the developers
 without this
 > product.
 >
 > We've been using it now for almost a year and the responsiveness
 of their
 > Sales and Technial staff has been extreme.  I haven't had a
 single issue
 > that wasn't resolved in less than 24 hours.  I've also gotten a
 lot of
 > support from their sales staff regarding application security
 awareness> for our campus developers in general.
 >
 > One last thing to mention is the updates.  I have never seen a
 tool that
 > is so consistently updated.  I have run 2 or 3 assessments in
 the same day
 > and had updates for new vulnerabilities made available each time
 I ran the
 > tool.  If a week goes by without using it there can be
 litterally 100's of
 > new signatures it needs to add to the list.
 >
 > If you have more questions and want to talk offline I'd be happy
 to answer
 > them.
 >
 > Allen Brokken
 > Systems Security Analyst - Principal
 > Univeristy of Missouri
 > brokkena () missouri edu


 -----BEGIN PGP SIGNATURE-----
 Version: PGP Desktop 9.0.1 (Build 2185)
 Comment: Mensaje Seguro, Enviado por Juan Carlos Reyes M.

 iQIVAwUBQvy/k4ElKqNdrUwNAQgxhw//c/aBxhmWEZl5lisTuM4YjV7VL5ikWCzr
 OwwfVoV+dnAzYSio55zhGidKLh/kU9A12WdWz6a77xSZyPmsf0mVszyN0cYuf24A
 /jtxb9GRAdlyLii1r38FdQ2BKCl3/Wydd2Q5seyukNZMg5QggdtSPMyKwF4pkehD
 7Z6Hb/M+bQjJN7zyn8L/94Kr0LJU8GK8AWCO4XB+yku5ndUOmcWF+XJrClx3qUSO
 FWj75d+fasRXuM8/Z9bBeCfvDlhuTh01afa68Mz2aO5uOoCooDvsAa0S9q6gre8e
 TDzl8okWMzudyKdJrbkW5JPb3SGvtAvcsfdRKX+qv4dbhxFnbKncghhwMgBY+2ua
 uZ8nieMtvjTbpPNev0VQe7nDCD0XPR6Ft9Ty1DddYY9SbIOoJAYR0oQ50zBi769i
 Eq0CD8++Hf4oqrBHZEkIMsotNYVTEjOcdbiP9lqd/efZ0Tcl5pZKP8qqGcUF1/D4
 OUpq4JEM/N3iw0dTBPLnvIcHftE6Ou/VJAr8EFjUAw++9LBcwXKd9U5q+1j2ysBo
 ELRd+wpTz5dTc73nQeTjA8MNJspO82JHf8C/c0f89OlKMgDx8fcnwcV+FL8L52Od
 /KITItOoltULIhvFoHHWK23mWibJffu4XMN00YAwTzlC09iQMUZisdX+Jju6gsz5
 Eyk0+jWqQCg=
 =L/PW
 -----END PGP SIGNATURE-----



------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
Kyle Starkey
Senior Security Consultant
SiegeWorks
Cell: 435-962-8986
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]