WebApp Sec mailing list archives

Re: RE: Application Assessment

From: RUI PEREIRA - WCG <wavefront1 () shaw ca>
Date: Fri, 12 Aug 2005 09:08:47 -0700

Juan,

Approx 1 year ago we did an evaluation between Appscan, Kavado, WebInspect and AppDetective. We chose WebInspect for 
the range of vulnerabilities tested for, the granularity of test selection, the flexibility of use, etc. Contact me 
offline if you want more detail on our selection process.

Thank You

Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA
Principal Consultant

WaveFront Consulting Group
Certified Information Systems Security Professionals

wavefront1 () shaw ca | 1 (604) 961-0701


----- Original Message -----
From: Juan Carlos Reyes Muñoz <jcreyes () etb net co>
Date: Friday, August 12, 2005 8:26 am
Subject: RE: Application Assessment

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Allen,

One question... have you ever tried Watchfire's Appscan? If so, 
which tool
could be better between Appscan and Webinspect?

Juan Carlos Reyes Muñoz

GIAC Certified Forensic Analyst - SANS Institute
Consultor de Seguridad Informática

Cel. (57) 311 513 9280

Miami Mailbox
1900 N.W. 97th Avenue
Suite No. 722-1971
Miami, FL 33172

Las opiniones expresadas en esta comunicación son enteramente 
personales. De
igual manera, esta comunicación y todos sus datos adjuntos son
confidenciales y exclusivamente para el destinatario. Si por algún 
motivorecibe esta comunicación y usted NO es el destinatario, 
hágamelo saber
respondiendo a este correo y por favor destruya cualquier copia 
del mismo y
de los datos adjuntos. Por favor tambien trate de olvidar 
cualquier cosa que
haya leido en esta comunicación, excepto en esta parte. Está prohibido
cualquier uso inadecuado de esta información, así como la 
generación de
copias de este mensaje. Gracias.

The contents and thoughts included in this e-mail are completely 
personal.This e-mail message and any attachments are confidential 
and may be
privileged. If you are not the intended recipient, please notify me
immediately by replying to this message and please destroy all 
copies of
this message and attachments. Please also try to forget everything 
you have
read that was contained in this E-Mail message, except this part. 
Misuse,copying and redistribution of this e-mail are forbidden. 
Thank you.

-----Mensaje original-----
De: Brokken, Allen P. [BrokkenA () missouri edu]
Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m.
Para: Glyn Geoghegan; goenw
CC: pen-test () securityfocus com; Webappsec
Asunto: RE: Application Assessment

I am a Security Analyst for the University of Missouri -

Columbia Campus.

I came from a systems administration background, and in the past

18 months

have been tasked with application security as just part of a greater
Information Systems Auditing program.

I personally have used

SpikeProxy from www.insecure.org
Paros, mentioned by others
and evaluated a handful of other Proxy/Automated Attack Methods.

However, the best tool I've seen and the one we finally

purchased is

WebInspect from SPI Dynamics
http://www.spidynamics.com

I did some independent test between SpikeProxy and WebInspect on

the a few

different applications.  With SpikeProxy it took basically 1

working day

to run the tool, and verify false positives, look up good

references for

the vulnerabilities and write the report.  The same application with
WebInspect took approximately 15 minutes of my time to

configure, and

generate the final report while taking about 2 hours to actually run
without my intervention.  It typically found 20% more

vulnerabilities than

I could find by the more manual method with SpikeProxy, and produced
extensive reports that not only explained the vulnerabilities,

but gave

code references the developers could use to fix their problem.

Those were results I got prior to training.  I got some

extensive training

with the tool and on web application testing in general at

Security-PS

http://www.securityps.com.  They are a Professional Application

Security> auditing company and they use this as their core tool 
because of both the

accuracy of the tool and the responsiveness of the company.  In the
training I got to learn how to effectively use the a whole suite

of tools

including a Web Brute force attacker, SQL Injector, Proxy,

Encoders /

Decoders, and Web Service assessment tools to name a few.

The tool is a little pricey, but I work with litterally dozens

of campus

departments and have evaluated LAMP, JAVA/ORACLE, ASP.NET/SQL

Server and

even VBScript/Access systems with the WebInspect Suite of tools.

The #1

comment I get from the developers is how helpful the report was in
correcting their code. For that broad spectrum of coding

enviroments I

couldn't possibly provide code level help to the developers

without this

product.

We've been using it now for almost a year and the responsiveness

of their

Sales and Technial staff has been extreme.  I haven't had a

single issue

that wasn't resolved in less than 24 hours.  I've also gotten a

lot of

support from their sales staff regarding application security

awareness> for our campus developers in general.


One last thing to mention is the updates.  I have never seen a

tool that

is so consistently updated.  I have run 2 or 3 assessments in

the same day

and had updates for new vulnerabilities made available each time

I ran the

tool.  If a week goes by without using it there can be

litterally 100's of

new signatures it needs to add to the list.

If you have more questions and want to talk offline I'd be happy

to answer

them.

Allen Brokken
Systems Security Analyst - Principal
Univeristy of Missouri
brokkena () missouri edu



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)
Comment: Mensaje Seguro, Enviado por Juan Carlos Reyes M.

iQIVAwUBQvy/k4ElKqNdrUwNAQgxhw//c/aBxhmWEZl5lisTuM4YjV7VL5ikWCzr
OwwfVoV+dnAzYSio55zhGidKLh/kU9A12WdWz6a77xSZyPmsf0mVszyN0cYuf24A
/jtxb9GRAdlyLii1r38FdQ2BKCl3/Wydd2Q5seyukNZMg5QggdtSPMyKwF4pkehD
7Z6Hb/M+bQjJN7zyn8L/94Kr0LJU8GK8AWCO4XB+yku5ndUOmcWF+XJrClx3qUSO
FWj75d+fasRXuM8/Z9bBeCfvDlhuTh01afa68Mz2aO5uOoCooDvsAa0S9q6gre8e
TDzl8okWMzudyKdJrbkW5JPb3SGvtAvcsfdRKX+qv4dbhxFnbKncghhwMgBY+2ua
uZ8nieMtvjTbpPNev0VQe7nDCD0XPR6Ft9Ty1DddYY9SbIOoJAYR0oQ50zBi769i
Eq0CD8++Hf4oqrBHZEkIMsotNYVTEjOcdbiP9lqd/efZ0Tcl5pZKP8qqGcUF1/D4
OUpq4JEM/N3iw0dTBPLnvIcHftE6Ou/VJAr8EFjUAw++9LBcwXKd9U5q+1j2ysBo
ELRd+wpTz5dTc73nQeTjA8MNJspO82JHf8C/c0f89OlKMgDx8fcnwcV+FL8L52Od
/KITItOoltULIhvFoHHWK23mWibJffu4XMN00YAwTzlC09iQMUZisdX+Jju6gsz5
Eyk0+jWqQCg=
=L/PW
-----END PGP SIGNATURE-----

Current thread:

RE: Application Assessment, (continued)
- - RE: Application Assessment Mark Curphey (Aug 11)
    - Re: Application Assessment Jeremiah Grossman (Aug 11)
    - RE: Application Assessment Mark Curphey (Aug 11)
    - Re: Application Assessment Jeremiah Grossman (Aug 11)
    - Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- RE: Application Assessment Ashley Vandiver (Aug 11)
- RE: Application Assessment Brokken, Allen P. (Aug 11)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- RE: Application Assessment Juan Carlos Reyes Muñoz (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- Re: RE: Application Assessment RUI PEREIRA - WCG (Aug 12)
  - Re: RE: Application Assessment Kyle Starkey (Aug 12)
- RE: Application Assessment Tom Stracener (Aug 12)
- Re: RE: Application Assessment secureuniverse (Aug 12)
  - Re: Application Assessment Pete Herzog (Aug 13)
- RE: Application Assessment Michael Gargiullo (Aug 12)
  - Re: Application Assessment goenw (Aug 17)
- RE: RE: Application Assessment Ory Segal (Aug 13)
  - On Application Scanners (Was: Application Assessment) Mark Curphey (Aug 14)
- Re: Application Assessment secureuniverse (Aug 15)