WebApp Sec mailing list archives
Re: Application Assessment
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Thu, 11 Aug 2005 11:28:06 -0700
Not withstanding the mischaracterization of WASC (www.webappsec.org), which is the consortium I assume you were referring to, web application scanner performance reviews would be a good thing for the community. In fact at Black Hat I was speaking to a couple of the scanner vendors about doing exactly that. The response I got was positive.
The fundamental challenge is developing a fair and balanced criteria in which to test the products. Web application scanners of the open source and commercial variety have a largely differing features sets, including vulnerability identification capabilities. None of them are closely comparable and this inevitably skews results since there's no baseline. No one wants to be treated unfairly by someone publishing negative and biased performance reviews. I believe this is the primary concern on why the trial agreements prevent publishing performance results.
This isn't to say the initiative can't be done and the vendors don't want it to be done, but the interested product participants would first have to work together to develop a fair testing criteria. Without they're buy-in its never going to work. WASC has a strong working relationship with many web application security industry experts and vendors to make this possible.
In the web application firewall (WAF) world, WASC has begun this process:
"Web Application Firewall Evaluation Criteria" Project (WAFEC) Led by Ivan Ristic, author of "Apache Security" and Mod_Security http://www.webappsec.org/projects/waf_evaluation/Top vendors and experts are working together to develop the industry standard testing criteria for evaluating the quality of web application firewall solutions. The expectation is that anyone would be able to use the criteria to evaluate a WAF product in a consistent manner. Whether is be a customer, professional reviewer, vendors, consultant, etc.
I expect the web application scanner guys to follow suit, its really just a matter of when.
Regards, Jeremiah Grossman- --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/ On Aug 11, 2005, at 8:52 AM, Mark Curphey wrote:
Seems like it would be pretty valuable to publish an independent (not by thevendors or the vendors consortium) review of performance the web appscanners. Last time I looked the trial agreements prevented publication of comparisons and results. I know of a few magazines that would be happy topublish the results and I would volunteer to organize the testing. -----Original Message----- From: Ory Segal [mailto:osegal () watchfire com] Sent: Thursday, August 11, 2005 6:16 AM To: goenw Cc: pen-test () securityfocus com; Webappsec Subject: RE: Application Assessment Hi,You should also check: http://www.webappsec.org (Web Application SecurityConsortium)With regards to utilities, you can download the free Watchfire Powertools(HTTP Proxy, HTTP request editor, etc.), here's the link: http://www.watchfire.com/securityzone/download/default.aspxAt the same link, you can also download eval versions of Watchfire's AppScanproduct (An automated application security scanner). You can also find basic and advanced whitepapers on the subject at: http://www.watchfire.com/news/whitepapers.aspx -Ory -----Original Message----- From: Glyn Geoghegan [mailto:glyng () corsaire com] Sent: Thursday, August 11, 2005 4:48 AM To: goenw Cc: pen-test () securityfocus com; Webappsec Subject: Re: Application Assessment On 8 Aug 2005, at 12:53, goenw wrote:Hi, anybody have experience with application assessment ? I am a network guy, dont know much about the apps PT. 1. is there any tools that allow me to do the assessment throughly ?If you're talking web-applications, check out www.owasp.org for a wealth ofinformation on the subject. You may also want to take a look at the webappsec mailing list at www.securityfocus.com.Typically, the kind of tools you'll need are the personal-proxy category, allowing you to intercept and modify communications between the client andserver - see Paros Proxy, Odysseus and Burp Proxy, for example.There are fully automated tools, but in my personal experience the manualapproach has worked more effectively.Fat client/binary assessment is a slightly different (and arguably morecomplex) beast, and probably off-topic for this list.2. should i have external party conduct this, what are the things i should expect from them (success criteria) ? any comments are appriciated.That depends on how confident you are with your abilities, the drivers forthe assessment and a wealth of factors. Normally, some coding ordevelopment background is essential to identify and understand potentialvulnerabilities. Check out www.application-testing.com for our guide on the world of Application Security Assessments. -- ------------------------------------------------------- G l y n G e o g h e g a n BSc, ARCS Principal Consultant Corsaire Ltd 3 Tannery House, Tannery Lane Send, Surrey, GU23 7EF, UK UK: +44 (0)1483 226 000 http://www.corsaire.com Fax: +44 (0)1483 226 001 ----------------------------------------------------------------------------------------------------------------------------- --------FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don'tLearn the hacker's secrets that compromise wireless LANs. Secure your WLANby understanding these threats, available hacking tools and provencountermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity theftsand MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801---------------------------------------------------------------------- ---------
Current thread:
- Re: Application Assessment Glyn Geoghegan (Aug 11)
- Re: Application Assessment bugtraq (Aug 11)
- <Possible follow-ups>
- RE: Application Assessment Ory Segal (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)