WebApp Sec mailing list archives
RE: Automagic webapp testing tools
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 10 Mar 2005 12:35:58 -0600
1. There will be a resource launched on www.owasp.org the first week of April on this subject. 2. Marketing hype and dishonesty is staggering in the webappsec space. Personally I think this is more due to a mix of ignorance and well-meaning incompetence than some subtle sales malice, but that's irrelevant to the facts. 3. Lots of value in these automation tools *if* and *where* they work. 4. No substitute for manual testing. 5. I finished an assessment for one of the largest banks in the US and they told me my 100+ page hand written analysis of 40-some issues was "comparable" to the competitor that gave them 300 pages of AppScan bull****. Printed straight out of the tool. OH-NO, robots.txt again! 6. I delight in asking vendors to explain how to exploit XST (webappscanner, traditional vuln scanners, web app testers, whoever) and while half the time they can't even give an attack scenario it's even better when they do and I ask "now why would anyone do that if those preconditions are true?". :) -ae
-----Original Message----- From: inflatablekiwi () gmail com [mailto:inflatablekiwi () gmail com] Sent: Wednesday, March 09, 2005 2:02 AM To: webappsec () securityfocus com Subject: Automagic webapp testing tools Hi Folks, I currently use SPI WebInspect for as part of a process for vulnerability assessments/pen tests on different web applications. The license is up for renewal soon and before re-purchasing, I'm wondering if anyone on the list has any real world thoughts/experiences on how it stacks up against some of the alternatives like - Watchfire Appscan - Kavado ScanDo - Any others I've missed Any list member's thoughts (on or off the list) or pointers to good product comparisons for these would be much appreciated. I'm more of a believer in manual testing myself (yay Netcat and WebScarab!), but I also see the value in these sorts of tools. Ta, IF p.s Also as a totally random aside - I've recently been reading a couple of different security vendors pen test reports for similar profile web sites and I'm amazed by the analysis disparity on the same simple issues (like track and trace verbs being enabled - ranging from "Extreme Risk - The sky is falling - you will be owned now" to "Low risk - disable these verbs and move along"). Just saying.
Current thread:
- Automagic webapp testing tools inflatablekiwi (Mar 09)
- <Possible follow-ups>
- RE: Automagic webapp testing tools Evans, Arian (Mar 13)
- Re: Automagic webapp testing tools robert (Mar 18)
- Re: Automagic webapp testing tools Leigh Morresi (Mar 20)
- Re: Automagic webapp testing tools robert (Mar 18)