|
WebApp Sec
mailing list archives
RE: Environment for testing WebApp Security Scanners
From: "Brokken, Allen P." <BrokkenA () missouri edu>
Date: Tue, 8 Aug 2006 09:25:51 -0500
You might also consider looking at Foundstone's Hacme suite of sites as a compliment to site generator. I've found
that in testing scanners each methodology for building a site works different "muscles" in the scanner and having a
diverse back drop to test against is important.
Also, it has been useful to have someone unfamiliar with the various sites and scanners being tested do the actual
scanning. I've found that having an intimate knowledge of the site and scanner can boost individual performance
drastically and compared to the same person using different tools on a site they are unfamiliar with.
You might consider bringing in classmates who are technical, but unfamiliar with the tools / sites to do at least one
round of your testing. Most of the results/studies I've seen are done by highly trained professionals. However, most
purchasers of scanners have not risen to that level yet. So a study along those lines would be very useful.
Allen Brokken
Information Security and Account Management - IAT Services - University of Missouri -brokkena () missouri edu -
(573)884-8708
-----Original Message-----
From: René Palige [mailto:rwp () gmx de]
Sent: Monday, August 07, 2006 3:33 PM
To: webappsec () securityfocus com
Subject: Environment for testing WebApp Security Scanners
Hi!
I?m currently working on my bachelor thesis which is about the development
of a testsuite for different Web Application Security Scanners. My goal is
to provide an environment which can be used as a basis for testing and
evaluating the performance of the many tools already existing.
Consequently the main part of my work will be to implement different types
of vulnerabilites in more or less realistic scenarios and with different
characteristics. At the moment I?m planning to use OWASPs WebGoat as some
kind of groundwork.
My questions:
Which "features" would you consider to be necessary or useful in this
context? And what basic requirements do you see which should be met? Would
it be best to focus on "real-life scenarios"? Or rather to cover as many
aspects of a special class of vulnerabilities as possible?
Thanks in advance,
R. Palige
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC.
Download a free trial of AppScan today and see why more customers choose
AppScan then any other solution. Try it today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC.
Download a free trial of AppScan today and see why more customers choose
AppScan then any other solution. Try it today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
