RE: Of the three expensive vulnerability scanners

[Tommy <tommy () providesecurity com>]

After reading your paper, I would be curious to know several things about
the research you did before writing this paper.

1. What was the testing criteria that was used to assign a security threat
level?

2. Where you the one actually using the tools and testing against the
criteria or did you interview people who have used the tools?

3. If you interview people, how intimate were they with each of the tools?
        How many people did you interview?

I am asking these questions because there is no differentiation between what
are network scanners and what are application scanners. Each will find
different types of vulnerabilities that can be used in different type of
attacks.  In reality no one tool is perfect, every true assessment will
involve using at least 3-4 of the tools on your list.

Now if you broke the list down to 4 Types of Scanners
Network Scanners, Application Scanners, Source Code Scanners & Database
Scanners. Less experienced people would not be so confused.

For Example you posed this information for AppScan Auditor:

Penetration (4):
This tool is great from an administrator point of view but is of very little
use to a hacker 

Damage Potential (1):
Data gathering only

Since when isn't XSS, hidden field tampering, SQL Injection of use to a
hacker......better yet a File Upload that doesn't validate an Extension.
Damage Potential you gave a 1? Have you ever used SEND UNSAFE?
Last time I checked DOS to an Application was Pretty Severe.
Also if I remember correctly from my last pen test (today), A SQL Injection
has a Very Severe Damage Potential....Ask PETCO about the Damage to their
reputation from a SQL Injection.

But these are just my two cents!

Tom Ryan
Lead Security Consultant
NET2S GROUP (NYC)




-----Original Message-----
From: Mark W. Webb [mailto:mark () dolphtech com] 
Sent: Monday, November 29, 2004 9:29 AM
To: Joe Basirico
Cc: managingrisk () gmail com; webappsec () securityfocus com
Subject: Re: Of the three expensive vulnerability scanners

This is an excellent paper and I thank you for sharing the information 
with us.  Do you have a copy that is "rolled up" into one document, like 
a PDF or one HTML page ?

Thank you.

Joe Basirico wrote:

I recently wrote a security report on vulnerability scanners that you might
want to check out. I reviewed 25 scanners that might help you make a
decision. In my report I talk about what scanners do and how they do it,
then in the Tool review (last page) each tool is individually reviewed with
an overview, strengths, weaknesses, price and some other criteria. This
Security Report was intended for the audience to decide which tools hackers
are learning to help compromise your servers.

This is normally a subscription only report but it's free until November
30th.

http://www.securityinnovation.com/security-report/vulnScanners1.htm

Thank you,
Joe Basirico
SECURITYINNOVATION - Software Security Engineer
http://www.securityinnovation.com
jbasirico () sisecure com
206-227-6458

 -----Original Message-----
From: managingrisk () gmail com [mailto:managingrisk () gmail com] 
Sent: Thursday, October 07, 2004 8:31 AM
To: webappsec () securityfocus com
Subject: Of the three expensive vulnerability scanners



I am trying to decide which of the three, supposedly "grade A" application
vulnerability scanners suits our needs the best. I am looking at :

1. AppScan
2. Scando
3. WebInspect

(are there others I should be looking at ? )

Obviously, each claims to be the best. That's why I look to you folks to
help me out here. I would appreciate it if members of the list would share
with me their experiences with the tools I listed above. Specifically around
what their weaknesses, strengths, gotchas, etc are.

Personally I have been using Atstake's WebProxy and I am not impressed with
it at all.

Thank you.