RE: Application Assessment

["Brokken, Allen P." <BrokkenA () missouri edu>]

I am a Security Analyst for the University of Missouri - Columbia Campus.  I came from a systems administration 
background, and in the past 18 months have been tasked with application security as just part of a greater Information 
Systems Auditing program.
 
I personally have used
 
SpikeProxy from www.insecure.org
Paros, mentioned by others
and evaluated a handful of other Proxy/Automated Attack Methods.  
 
However, the best tool I've seen and the one we finally purchased is WebInspect from SPI Dynamics
http://www.spidynamics.com
 
I did some independent test between SpikeProxy and WebInspect on the a few different applications.  With SpikeProxy it 
took basically 1 working day to run the tool, and verify false positives, look up good references for the 
vulnerabilities and write the report.  The same application with WebInspect took approximately 15 minutes of my time to 
configure, and generate the final report while taking about 2 hours to actually run without my intervention.  It 
typically found 20% more vulnerabilities than I could find by the more manual method with SpikeProxy, and produced 
extensive reports that not only explained the vulnerabilities, but gave code references the developers could use to fix 
their problem.
 
Those were results I got prior to training.  I got some extensive training with the tool and on web application testing 
in general at Security-PS http://www.securityps.com.  They are a Professional Application Security auditing company and 
they use this as their core tool because of both the accuracy of the tool and the responsiveness of the company.  In 
the training I got to learn how to effectively use the a whole suite of tools including a Web Brute force attacker, SQL 
Injector, Proxy, Encoders / Decoders, and Web Service assessment tools to name a few.
 
The tool is a little pricey, but I work with litterally dozens of campus departments and have evaluated LAMP, 
JAVA/ORACLE, ASP.NET/SQL Server and even VBScript/Access systems with the WebInspect Suite of tools.  The #1 comment I 
get from the developers is how helpful the report was in correcting their code. For that broad spectrum of coding 
enviroments I couldn't possibly provide code level help to the developers without this product.
 
We've been using it now for almost a year and the responsiveness of their Sales and Technial staff has been extreme.  I 
haven't had a single issue that wasn't resolved in less than 24 hours.  I've also gotten a lot of support from their 
sales staff regarding application security awareness for our campus developers in general.
 
One last thing to mention is the updates.  I have never seen a tool that is so consistently updated.  I have run 2 or 3 
assessments in the same day and had updates for new vulnerabilities made available each time I ran the tool.  If a week 
goes by without using it there can be litterally 100's of new signatures it needs to add to the list.
 
If you have more questions and want to talk offline I'd be happy to answer them.
 
Allen Brokken
Systems Security Analyst - Principal
Univeristy of Missouri
brokkena () missouri edu