RE: Automagic webapp testing tools

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

1. There will be a resource launched on www.owasp.org the first week
of April on this subject.

2. Marketing hype and dishonesty is staggering in the webappsec space.

Personally I think this is more due to a mix of ignorance and well-meaning
incompetence than some subtle sales malice, but that's irrelevant to the facts.

3. Lots of value in these automation tools *if* and *where* they work.

4. No substitute for manual testing.

5. I finished an assessment for one of the largest banks in the US and they
told me my 100+ page hand written analysis of 40-some issues was "comparable"
to the competitor that gave them 300 pages of AppScan bull****.

Printed straight out of the tool. OH-NO, robots.txt again!

6. I delight in asking vendors to explain how to exploit XST (webappscanner,
traditional vuln scanners, web app testers, whoever) and while half the time
they can't even give an attack scenario it's even better when they do and
I ask "now why would anyone do that if those preconditions are true?".

:)

-ae


> -----Original Message-----
> From: inflatablekiwi () gmail com [mailto:inflatablekiwi () gmail com] 
> Sent: Wednesday, March 09, 2005 2:02 AM
> To: webappsec () securityfocus com
> Subject: Automagic webapp testing tools
>
>
>
>
> Hi Folks,
> I currently use SPI WebInspect for as part of a process for 
> vulnerability assessments/pen tests on different web 
> applications. The license is up for renewal soon and before 
> re-purchasing, I'm wondering if anyone on the list has any 
> real world thoughts/experiences on how it stacks up against 
> some of the alternatives like 
>
> - Watchfire Appscan
> - Kavado ScanDo
> - Any others I've missed
>
> Any list member's thoughts (on or off the list) or pointers to 
> good product comparisons for these would be much appreciated.  
> I'm more of a believer in manual testing myself (yay Netcat 
> and WebScarab!), but I also see the value in these sorts of tools.
>
> Ta,
> IF
>
> p.s Also as a totally random aside - I've recently been 
> reading a couple of different security vendors pen test 
> reports for similar profile web sites and I'm amazed by the 
> analysis disparity on the same simple issues (like track and 
> trace verbs being enabled - ranging from "Extreme Risk - The 
> sky is falling - you will be owned now" to "Low risk - disable 
> these verbs and move along").  Just saying.