WebApp Sec mailing list archives
RE: Of the three expensive vulnerability scanners
From: Tommy <tommy () providesecurity com>
Date: Tue, 30 Nov 2004 00:09:29 -0500
After reading your paper, I would be curious to know several things about the research you did before writing this paper. 1. What was the testing criteria that was used to assign a security threat level? 2. Where you the one actually using the tools and testing against the criteria or did you interview people who have used the tools? 3. If you interview people, how intimate were they with each of the tools? How many people did you interview? I am asking these questions because there is no differentiation between what are network scanners and what are application scanners. Each will find different types of vulnerabilities that can be used in different type of attacks. In reality no one tool is perfect, every true assessment will involve using at least 3-4 of the tools on your list. Now if you broke the list down to 4 Types of Scanners Network Scanners, Application Scanners, Source Code Scanners & Database Scanners. Less experienced people would not be so confused. For Example you posed this information for AppScan Auditor: Penetration (4): This tool is great from an administrator point of view but is of very little use to a hacker Damage Potential (1): Data gathering only Since when isn't XSS, hidden field tampering, SQL Injection of use to a hacker......better yet a File Upload that doesn't validate an Extension. Damage Potential you gave a 1? Have you ever used SEND UNSAFE? Last time I checked DOS to an Application was Pretty Severe. Also if I remember correctly from my last pen test (today), A SQL Injection has a Very Severe Damage Potential....Ask PETCO about the Damage to their reputation from a SQL Injection. But these are just my two cents! Tom Ryan Lead Security Consultant NET2S GROUP (NYC) -----Original Message----- From: Mark W. Webb [mailto:mark () dolphtech com] Sent: Monday, November 29, 2004 9:29 AM To: Joe Basirico Cc: managingrisk () gmail com; webappsec () securityfocus com Subject: Re: Of the three expensive vulnerability scanners This is an excellent paper and I thank you for sharing the information with us. Do you have a copy that is "rolled up" into one document, like a PDF or one HTML page ? Thank you. Joe Basirico wrote: I recently wrote a security report on vulnerability scanners that you might want to check out. I reviewed 25 scanners that might help you make a decision. In my report I talk about what scanners do and how they do it, then in the Tool review (last page) each tool is individually reviewed with an overview, strengths, weaknesses, price and some other criteria. This Security Report was intended for the audience to decide which tools hackers are learning to help compromise your servers. This is normally a subscription only report but it's free until November 30th. http://www.securityinnovation.com/security-report/vulnScanners1.htm Thank you, Joe Basirico SECURITYINNOVATION - Software Security Engineer http://www.securityinnovation.com jbasirico () sisecure com 206-227-6458 -----Original Message----- From: managingrisk () gmail com [mailto:managingrisk () gmail com] Sent: Thursday, October 07, 2004 8:31 AM To: webappsec () securityfocus com Subject: Of the three expensive vulnerability scanners I am trying to decide which of the three, supposedly "grade A" application vulnerability scanners suits our needs the best. I am looking at : 1. AppScan 2. Scando 3. WebInspect (are there others I should be looking at ? ) Obviously, each claims to be the best. That's why I look to you folks to help me out here. I would appreciate it if members of the list would share with me their experiences with the tools I listed above. Specifically around what their weaknesses, strengths, gotchas, etc are. Personally I have been using Atstake's WebProxy and I am not impressed with it at all. Thank you.
Current thread:
- Of the three expensive vulnerability scanners managingrisk (Oct 07)
- RE: Of the three expensive vulnerability scanners Joe Basirico (Oct 07)
- RE: Of the three expensive vulnerability scanners Don Tuer (Oct 09)
- Re: Of the three expensive vulnerability scanners Mark W. Webb (Nov 29)
- RE: Of the three expensive vulnerability scanners Tommy (Nov 30)
- Re: Of the three expensive vulnerability scanners Cesar (Oct 09)
- <Possible follow-ups>
- Re: Of the three expensive vulnerability scanners Tom Stracener (Oct 12)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 14)
- Re: Of the three expensive vulnerability scanners Daniel (Nov 15)
- Re: Of the three expensive vulnerability scanners Jeremiah Grossman (Nov 15)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 14)
- Re: Of the three expensive vulnerability scanners Tom Stracener (Nov 16)
- Re: Of the three expensive vulnerability scanners ban.marketing.bs (Nov 20)
- Re: Of the three expensive vulnerability scanners Adam Shostack (Nov 22)
- Re: Of the three expensive vulnerability scanners Jeff Williams (Nov 22)
- Re: Of the three expensive vulnerability scanners Adam Shostack (Nov 22)
- RE: Of the three expensive vulnerability scanners Michael Silk (Nov 22)
(Thread continues...)
- RE: Of the three expensive vulnerability scanners Joe Basirico (Oct 07)