Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Opinions of automated testers
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Wed, 9 May 2007 10:58:25 -0700

Mathijs,

SPI Dynamics does have a demo download with a temp key that allows you to
test WebInspect using their http://zero.webappsecurity.com website. The site
is completely reimaged each night so you can play around with the tool to
your heart's content with SQL injection, fuzzing, etc. They've done a great
job in setting things up so potential clients can get a really good feel for
the tool and it's capabilities. I don't work for SPI but I've worked with
them extensively in the past and am most familiar with their product so take
my recommendations with a grain of salt. Other products may suit your needs
better in particular areas or capabilities.

I'm not certain if Cenzic or the other webappsec tools have a similar
setup/trial playground for product evaluation but I would be surprised if
that wasn't the case. Most companies in this product space also offer
pricing for corporate (unlimited internal usage) clients as well as lower
cost engagement-based licensing for consultants/services companies.

I know you vendors lurk on the list so if any SPI, Cenzic, or Watchfire guys
want to pipe up with more info I'll let it through as long as it isn't too
sales-pitch-ish. If you could provide a relatively unbiased comparison
between your tool and the others in your space in regards to what features
you have and how they compare to your competition that would be useful for
this audience. Some products excel in a particular area or have feature sets
unique to you and having some more technical information on the capabilities
of each would be useful. Just bear in mind that the audience is pen-testers
and not the SecurityFcus webappsec list which also discusses these
questions. :)

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 


-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of M. Groen
Sent: Tuesday, May 08, 2007 11:28 PM
To: pen-test () securityfocus com
Subject: RE: Opinions of automated testers

Thanks for the clear explanation.

One other question, does anyone happen to know if there are 
sites on which you can try "pen testing" products, like 
WebInspect, or Hailstorm? I mean a " playground" on which it 
is allowed to do pen-tensting (and make mistakes)?

Mathijs

Zack,

First of all, it depends on what you want in a pen-test 
tool. Second, 
it also depends on what you mean by pen-testing.  In my opinion, 
unless there is an actual exploit leveraged and a payload 
or injection 
of some sort, you are talking Vulnerability Assessment and not 
pen-testing. It's a semantic difference to some but there is a 
procedural difference between identifying potential vulnerabilities 
and actively exploiting found vulnerabilities.

The 3 tools you list are all web application-centric in their focus 
and are not what I would consider true pen-testing tools 
per se; they 
are more Application layer vulnerability scanners with 
limited exploit 
payloads to reduce false positive findings (XSS and SQL injection 
checks etc).
Watchfire's AppScan, Cenzic's Hailstorm, and SPI's 
WebInspect are all 
great tools but they do not test the full gamut of OS or 
services. If 
you are focused solely on application layer assessment then any of 
these 3 should suit your needs. I personally prefer 
WebInspect due to 
some of the extra tools and functionality it provides, as 
well as the 
various customizable report patterns and 
compliancy-directed scanning 
but each has it's strong points.

If you are looking for what most on the list would consider broad 
spectrum pen-testing tools you should take a look at Core 
Impact or Metasploit.
There
are other pen-testing tools available but these two are 
probably the 
most widely used. Core=commercial, Metasploit=OSS so if your 
organization needs support not found in a chat room or 
online forum Core is the way to go.
I'm
fond of how Impact's payload is a memory-resident 
compromise so there 
is no actual change to the target compromised system and it can use 
any exploited box found to search out other machines it can 
see which 
is valuable in moving your penetration farther into the private 
network.

While automated tools are getting better and easier to use, nothing 
beats an experienced pen-testing services company. The 
better ones go 
beyond automated tool runs and can offer services that 
include social 
engineering, custom exploit coding, and other 
company-specific scope 
needs. Depending on your budget you may also want to look into that 
avenue.

Hope that helps and welcome to the list.


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"




-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of 
zackpeters75 () yahoo com
Sent: Monday, May 07, 2007 8:58 PM
To: pen-test () securityfocus com
Subject: Opinions of automated testers

Hi,

My manager gave me our pen testing project and I'm still 
coming up to 
speed so forgive me if this question is not 100% list appropriate.

From what I can tell the top 3 automated pen testing
programs are from SPI Dynamics, Cenzic and Watchfire. I haven't 
evaled any of them quite yet but they each seem to have their 
advantages and disadvantages. Cenzic is claiming to be the most 
accurate at least according to their 20/20 marketing program
http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm 
wondering what 
people have actually seen.

And if any of you posters from SPI, Cenzic or Watchfire 
want to email 
me directly and tell me your benefits, that's fine.
I don't want the thread to be a sales pitch, just looking 
to benefit 
from the knowledge of others.

Thanks everyone!

Zack

--------------------------------------------------------------
----------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with 
our 20/20 
program!

http://www.cenzic.com/c/2020
--------------------------------------------------------------
----------




----------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with 
our 20/20 
program!

http://www.cenzic.com/c/2020

----------------------------------------------------------------------
--





--------------------------------------------------------------
----------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with 
our 20/20 program!

http://www.cenzic.com/c/2020
--------------------------------------------------------------
----------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]