WebInspect and AppDetective. We chose WebInspect for the range
of
vulnerabilities tested for, the granularity of test selection,
the
flexibility of use, etc. Contact me offline if you want more
detail on
our selection process.
Thank You
Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA
Principal Consultant
WaveFront Consulting Group
Certified Information Systems Security Professionals
wavefront1 () shaw ca | 1 (604) 961-0701
----- Original Message -----
From: Juan Carlos Reyes Muñoz <jcreyes () etb net co>
Date: Friday, August 12, 2005 8:26 am
Subject: RE: Application Assessment
Allen,
One question... have you ever tried Watchfire's Appscan? If
so,
which tool
could be better between Appscan and Webinspect?
Juan Carlos Reyes Muñoz
GIAC Certified Forensic Analyst - SANS Institute
Consultor de Seguridad Informática
Cel. (57) 311 513 9280
Miami Mailbox
1900 N.W. 97th Avenue
Suite No. 722-1971
Miami, FL 33172
Las opiniones expresadas en esta comunicación son enteramente
personales. De
igual manera, esta comunicación y todos sus datos adjuntos son
confidenciales y exclusivamente para el destinatario. Si por
algún
motivorecibe esta comunicación y usted NO es el destinatario,
hágamelo saber
respondiendo a este correo y por favor destruya cualquier
copia
del mismo y
de los datos adjuntos. Por favor tambien trate de olvidar
cualquier cosa que
haya leido en esta comunicación, excepto en esta parte. Está
prohibido
cualquier uso inadecuado de esta información, así como la
generación de
copias de este mensaje. Gracias.
The contents and thoughts included in this e-mail are
completely
personal.This e-mail message and any attachments are
confidential
and may be
privileged. If you are not the intended recipient, please
notify me
immediately by replying to this message and please destroy all
copies of
this message and attachments. Please also try to forget
everything
you have
read that was contained in this E-Mail message, except this
part.
Misuse,copying and redistribution of this e-mail are
forbidden.
Thank you.
-----Mensaje original-----
De: Brokken, Allen P. [BrokkenA () missouri edu]
Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m.
Para: Glyn Geoghegan; goenw
CC: pen-test () securityfocus com; Webappsec
Asunto: RE: Application Assessment
I am a Security Analyst for the University of Missouri -
Columbia Campus.
I came from a systems administration background, and in the
past
18 months
have been tasked with application security as just part of a
greater
Information Systems Auditing program.
I personally have used
SpikeProxy from www.insecure.org
Paros, mentioned by others
and evaluated a handful of other Proxy/Automated Attack
Methods.
However, the best tool I've seen and the one we finally
purchased is
WebInspect from SPI Dynamics
http://www.spidynamics.com
I did some independent test between SpikeProxy and
WebInspect on
the a few
different applications. With SpikeProxy it took basically 1
working day
to run the tool, and verify false positives, look up good
references for
the vulnerabilities and write the report. The same
application with
WebInspect took approximately 15 minutes of my time to
configure, and
generate the final report while taking about 2 hours to
actually run
without my intervention. It typically found 20% more
vulnerabilities than
I could find by the more manual method with SpikeProxy, and
produced
extensive reports that not only explained the
vulnerabilities,
but gave
code references the developers could use to fix their
problem.
Those were results I got prior to training. I got some
extensive training
with the tool and on web application testing in general at
Security-PS
http://www.securityps.com. They are a Professional
Application
Security> auditing company and they use this as their core
tool
because of both the
accuracy of the tool and the responsiveness of the company.
In the
training I got to learn how to effectively use the a whole
suite
of tools
including a Web Brute force attacker, SQL Injector, Proxy,
Encoders /
Decoders, and Web Service assessment tools to name a few.
The tool is a little pricey, but I work with litterally
dozens
of campus
departments and have evaluated LAMP, JAVA/ORACLE,
ASP.NET/SQL
Server and
even VBScript/Access systems with the WebInspect Suite of
tools.
The #1
comment I get from the developers is how helpful the report
was in
correcting their code. For that broad spectrum of coding
enviroments I
couldn't possibly provide code level help to the developers
without this
product.
We've been using it now for almost a year and the
responsiveness
of their
Sales and Technial staff has been extreme. I haven't had a
single issue
that wasn't resolved in less than 24 hours. I've also
gotten a
lot of
support from their sales staff regarding application
security
awareness> for our campus developers in general.
One last thing to mention is the updates. I have never seen
a
tool that
is so consistently updated. I have run 2 or 3 assessments
in
the same day
and had updates for new vulnerabilities made available each
time
I ran the
tool. If a week goes by without using it there can be
litterally 100's of
new signatures it needs to add to the list.
If you have more questions and want to talk offline I'd be
happy
to answer
them.
Allen Brokken
Systems Security Analyst - Principal
Univeristy of Missouri
brokkena () missouri edu
----------------------------------------------------------------
Intro
