Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Opinions of automated testers
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Mon, 7 May 2007 22:02:45 -0700


First of all, it depends on what you want in a pen-test tool. Second, it
also depends on what you mean by pen-testing.  In my opinion, unless there
is an actual exploit leveraged and a payload or injection of some sort, you
are talking Vulnerability Assessment and not pen-testing. It's a semantic
difference to some but there is a procedural difference between identifying
potential vulnerabilities and actively exploiting found vulnerabilities.

The 3 tools you list are all web application-centric in their focus and are
not what I would consider true pen-testing tools per se; they are more
Application layer vulnerability scanners with limited exploit payloads to
reduce false positive findings (XSS and SQL injection checks etc).
Watchfire's AppScan, Cenzic's Hailstorm, and SPI's WebInspect are all great
tools but they do not test the full gamut of OS or services. If you are
focused solely on application layer assessment then any of these 3 should
suit your needs. I personally prefer WebInspect due to some of the extra
tools and functionality it provides, as well as the various customizable
report patterns and compliancy-directed scanning but each has it's strong

If you are looking for what most on the list would consider broad spectrum
pen-testing tools you should take a look at Core Impact or Metasploit. There
are other pen-testing tools available but these two are probably the most
widely used. Core=commercial, Metasploit=OSS so if your organization needs
support not found in a chat room or online forum Core is the way to go. I'm
fond of how Impact's payload is a memory-resident compromise so there is no
actual change to the target compromised system and it can use any exploited
box found to search out other machines it can see which is valuable in
moving your penetration farther into the private network.

While automated tools are getting better and easier to use, nothing beats an
experienced pen-testing services company. The better ones go beyond
automated tool runs and can offer services that include social engineering,
custom exploit coding, and other company-specific scope needs. Depending on
your budget you may also want to look into that avenue.

Hope that helps and welcome to the list.

Erin Carroll
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of 
zackpeters75 () yahoo com
Sent: Monday, May 07, 2007 8:58 PM
To: pen-test () securityfocus com
Subject: Opinions of automated testers


My manager gave me our pen testing project and I'm still 
coming up to speed so forgive me if this question is not 100% 
list appropriate.

From what I can tell the top 3 automated pen testing 
programs are from SPI Dynamics, Cenzic and Watchfire. I 
haven't evaled any of them quite yet but they each seem to 
have their advantages and disadvantages. Cenzic is claiming 
to be the most accurate at least according to their 20/20 
marketing program 
http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm 
wondering what people have actually seen.

And if any of you posters from SPI, Cenzic or Watchfire want 
to email me directly and tell me your benefits, that's fine. 
I don't want the thread to be a sales pitch, just looking to 
benefit from the knowledge of others.

Thanks everyone!


This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with 
our 20/20 program!


This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]