Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Application Assessment
From: Pete Herzog <lists () isecom org>
Date: Sat, 13 Aug 2005 10:48:51 +0200

Have you looked at Cruiser at www.dyadlabs.com?  It's touted to be the
open-source alternative to the commercial application assessors.

-pete.

secureuniverse () hushmail com wrote:
Guys

I have been a free lance writer and a research analyst and write 
under different pen names. Usually, I don't post message on these 
boards but all the chatter got to me. There are a number of ways to 
assessing your applications. Besides all the open source tools, 
there are a number of commercial tools as well as service providers 
who can help you. Here are the pros and cons of each:

Open Source
-Nessus, Nikto, Whisker etc. - Pros - These are fee. Cons - Very 
limited in functionality, lack of reporting, lack of support. If 
you are serious about testing, you would use these to play with but 
quickly move on to commerical products

Commercial
- Four key players - Cenzic, Kavado, SpiDynamics, Watchfire. These 
points are based on feedback from various companies, journalists, 
analysts, and indepedent evaluations.

Kavado - Out of business recently 
Watchfire - Had acquired Sanctum for web scanner. Pro - has been 
around for a long time. Cons- Lots of false positives. Lack of 
stability in the product
Spidynamics - Has been around for a while. Pro - has the largest 
installed base. Easy interface. Cons - Lots of false positives. 
Signature based approach for most vulnerabilities
Cenzic - Around for a while but restarted and rearchitected the 
product two years ago. Announced the new products a few months ago. 
Pros - Based on various input points, very different and refreshing 
approach. Doesn't use signature base methodology. Very few false 
positives and exteremely flexible allowing companies to create 
their own test scripts easily. Proven even better than manual 
testing results in many cases. Cons - Newer player with not as big 
an installed base as other companies. 

Service providers


Various SIs - big 5 and many boutique firms who provide pen testing 
and manual security assessments. Pros - manual testing can 
generally provide good results depending on the caliber of the 
consultant. Cons -Generally too expensive and time consuming

Depending on your needs, you can pick one or a combination of 
these. Good luck! 

On Fri, 12 Aug 2005 12:39:11 -0700 Kyle Starkey 
<kstarkey () siegeworks com> wrote:

I would suggest against the appscan product unless you want to use 


their 
developers addition for pre compiled code... There has been very 
litle 
r&d time/dollars being allocated to this product in the past 24 
months 
and as such it has lagged behind in functionaliy by comparison to 
the 
webinspect product.. If you only have budget for one tool I would 
suggest webinspect over the others...


On Fri, 12 Aug 2005 1:32 pm, RUI PEREIRA - WCG wrote:

Juan,

Approx 1 year ago we did an evaluation between Appscan, Kavado, 
WebInspect and AppDetective. We chose WebInspect for the range 

of 

vulnerabilities tested for, the granularity of test selection, 

the 

flexibility of use, etc. Contact me offline if you want more 

detail on 

our selection process.

Thank You

Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA
Principal Consultant

WaveFront Consulting Group
Certified Information Systems Security Professionals

wavefront1 () shaw ca | 1 (604) 961-0701


----- Original Message -----
From: Juan Carlos Reyes Muñoz <jcreyes () etb net co>
Date: Friday, August 12, 2005 8:26 am
Subject: RE: Application Assessment


Allen,

One question... have you ever tried Watchfire's Appscan? If 

so,

which tool
could be better between Appscan and Webinspect?

Juan Carlos Reyes Muñoz

GIAC Certified Forensic Analyst - SANS Institute
Consultor de Seguridad Informática

Cel. (57) 311 513 9280

Miami Mailbox
1900 N.W. 97th Avenue
Suite No. 722-1971
Miami, FL 33172

Las opiniones expresadas en esta comunicación son enteramente
personales. De
igual manera, esta comunicación y todos sus datos adjuntos son
confidenciales y exclusivamente para el destinatario. Si por 

algún

motivorecibe esta comunicación y usted NO es el destinatario,
hágamelo saber
respondiendo a este correo y por favor destruya cualquier 

copia

del mismo y
de los datos adjuntos. Por favor tambien trate de olvidar
cualquier cosa que
haya leido en esta comunicación, excepto en esta parte. Está 

prohibido

cualquier uso inadecuado de esta información, así como la
generación de
copias de este mensaje. Gracias.

The contents and thoughts included in this e-mail are 

completely

personal.This e-mail message and any attachments are 

confidential

and may be
privileged. If you are not the intended recipient, please 

notify me

immediately by replying to this message and please destroy all
copies of
this message and attachments. Please also try to forget 

everything

you have
read that was contained in this E-Mail message, except this 

part.

Misuse,copying and redistribution of this e-mail are 

forbidden.

Thank you.

-----Mensaje original-----
De: Brokken, Allen P. [BrokkenA () missouri edu]
Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m.
Para: Glyn Geoghegan; goenw
CC: pen-test () securityfocus com; Webappsec
Asunto: RE: Application Assessment

I am a Security Analyst for the University of Missouri -
Columbia Campus.
I came from a systems administration background, and in the 

past

18 months
have been tasked with application security as just part of a 


greater

Information Systems Auditing program.

I personally have used

SpikeProxy from www.insecure.org
Paros, mentioned by others
and evaluated a handful of other Proxy/Automated Attack 

Methods.


However, the best tool I've seen and the one we finally
purchased is
WebInspect from SPI Dynamics
http://www.spidynamics.com

I did some independent test between SpikeProxy and 

WebInspect on

the a few
different applications.  With SpikeProxy it took basically 1
working day
to run the tool, and verify false positives, look up good
references for
the vulnerabilities and write the report.  The same 

application with

WebInspect took approximately 15 minutes of my time to
configure, and
generate the final report while taking about 2 hours to 

actually run

without my intervention.  It typically found 20% more
vulnerabilities than
I could find by the more manual method with SpikeProxy, and 

produced

extensive reports that not only explained the 

vulnerabilities,

but gave
code references the developers could use to fix their 

problem.


Those were results I got prior to training.  I got some
extensive training
with the tool and on web application testing in general at
Security-PS
http://www.securityps.com.  They are a Professional 

Application

Security> auditing company and they use this as their core 

tool

because of both the
accuracy of the tool and the responsiveness of the company.  


In the

training I got to learn how to effectively use the a whole 

suite

of tools
including a Web Brute force attacker, SQL Injector, Proxy,
Encoders /
Decoders, and Web Service assessment tools to name a few.

The tool is a little pricey, but I work with litterally 

dozens

of campus
departments and have evaluated LAMP, JAVA/ORACLE, 

ASP.NET/SQL

Server and
even VBScript/Access systems with the WebInspect Suite of 

tools.

The #1
comment I get from the developers is how helpful the report 

was in

correcting their code. For that broad spectrum of coding
enviroments I
couldn't possibly provide code level help to the developers
without this
product.

We've been using it now for almost a year and the 

responsiveness

of their
Sales and Technial staff has been extreme.  I haven't had a
single issue
that wasn't resolved in less than 24 hours.  I've also 

gotten a

lot of
support from their sales staff regarding application 

security

awareness> for our campus developers in general.

One last thing to mention is the updates.  I have never seen 


a

tool that
is so consistently updated.  I have run 2 or 3 assessments 

in

the same day
and had updates for new vulnerabilities made available each 

time

I ran the
tool.  If a week goes by without using it there can be
litterally 100's of
new signatures it needs to add to the list.

If you have more questions and want to talk offline I'd be 

happy

to answer
them.

Allen Brokken
Systems Security Analyst - Principal
Univeristy of Missouri
brokkena () missouri edu





-----------------------------------------------------------------

-------------

FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That 


You 

Don't

Learn the hacker's secrets that compromise wireless LANs. Secure 


your

WLAN by understanding these threats, available hacking tools and 


proven

countermeasures. Defend your WLAN against man-in-the-Middle 

attacks and

session hijacking, denial-of-service, rogue access points, 

identity

thefts and MAC spoofing. Request your complimentary white paper 

at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-----------------------------------------------------------------


--------------
Kyle Starkey
Senior Security Consultant
SiegeWorks
Cell: 435-962-8986




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------




------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]