WebApp Sec mailing list archives
Re: RE: Application Assessment
From: RUI PEREIRA - WCG <wavefront1 () shaw ca>
Date: Fri, 12 Aug 2005 09:08:47 -0700
Juan, Approx 1 year ago we did an evaluation between Appscan, Kavado, WebInspect and AppDetective. We chose WebInspect for the range of vulnerabilities tested for, the granularity of test selection, the flexibility of use, etc. Contact me offline if you want more detail on our selection process. Thank You Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA Principal Consultant WaveFront Consulting Group Certified Information Systems Security Professionals wavefront1 () shaw ca | 1 (604) 961-0701 ----- Original Message ----- From: Juan Carlos Reyes Muñoz <jcreyes () etb net co> Date: Friday, August 12, 2005 8:26 am Subject: RE: Application Assessment
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen, One question... have you ever tried Watchfire's Appscan? If so, which tool could be better between Appscan and Webinspect? Juan Carlos Reyes Muñoz GIAC Certified Forensic Analyst - SANS Institute Consultor de Seguridad Informática Cel. (57) 311 513 9280 Miami Mailbox 1900 N.W. 97th Avenue Suite No. 722-1971 Miami, FL 33172 Las opiniones expresadas en esta comunicación son enteramente personales. De igual manera, esta comunicación y todos sus datos adjuntos son confidenciales y exclusivamente para el destinatario. Si por algún motivorecibe esta comunicación y usted NO es el destinatario, hágamelo saber respondiendo a este correo y por favor destruya cualquier copia del mismo y de los datos adjuntos. Por favor tambien trate de olvidar cualquier cosa que haya leido en esta comunicación, excepto en esta parte. Está prohibido cualquier uso inadecuado de esta información, así como la generación de copias de este mensaje. Gracias. The contents and thoughts included in this e-mail are completely personal.This e-mail message and any attachments are confidential and may be privileged. If you are not the intended recipient, please notify me immediately by replying to this message and please destroy all copies of this message and attachments. Please also try to forget everything you have read that was contained in this E-Mail message, except this part. Misuse,copying and redistribution of this e-mail are forbidden. Thank you.-----Mensaje original----- De: Brokken, Allen P. [BrokkenA () missouri edu] Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m. Para: Glyn Geoghegan; goenw CC: pen-test () securityfocus com; Webappsec Asunto: RE: Application Assessment I am a Security Analyst for the University of Missouri -Columbia Campus.I came from a systems administration background, and in the past18 monthshave been tasked with application security as just part of a greater Information Systems Auditing program. I personally have used SpikeProxy from www.insecure.org Paros, mentioned by others and evaluated a handful of other Proxy/Automated Attack Methods. However, the best tool I've seen and the one we finallypurchased isWebInspect from SPI Dynamics http://www.spidynamics.com I did some independent test between SpikeProxy and WebInspect onthe a fewdifferent applications. With SpikeProxy it took basically 1working dayto run the tool, and verify false positives, look up goodreferences forthe vulnerabilities and write the report. The same application with WebInspect took approximately 15 minutes of my time toconfigure, andgenerate the final report while taking about 2 hours to actually run without my intervention. It typically found 20% morevulnerabilities thanI could find by the more manual method with SpikeProxy, and produced extensive reports that not only explained the vulnerabilities,but gavecode references the developers could use to fix their problem. Those were results I got prior to training. I got someextensive trainingwith the tool and on web application testing in general atSecurity-PShttp://www.securityps.com. They are a Professional ApplicationSecurity> auditing company and they use this as their core tool because of both theaccuracy of the tool and the responsiveness of the company. In the training I got to learn how to effectively use the a whole suiteof toolsincluding a Web Brute force attacker, SQL Injector, Proxy,Encoders /Decoders, and Web Service assessment tools to name a few. The tool is a little pricey, but I work with litterally dozensof campusdepartments and have evaluated LAMP, JAVA/ORACLE, ASP.NET/SQLServer andeven VBScript/Access systems with the WebInspect Suite of tools.The #1comment I get from the developers is how helpful the report was in correcting their code. For that broad spectrum of codingenviroments Icouldn't possibly provide code level help to the developerswithout thisproduct. We've been using it now for almost a year and the responsivenessof theirSales and Technial staff has been extreme. I haven't had asingle issuethat wasn't resolved in less than 24 hours. I've also gotten alot ofsupport from their sales staff regarding application securityawareness> for our campus developers in general.One last thing to mention is the updates. I have never seen atool thatis so consistently updated. I have run 2 or 3 assessments inthe same dayand had updates for new vulnerabilities made available each timeI ran thetool. If a week goes by without using it there can belitterally 100's ofnew signatures it needs to add to the list. If you have more questions and want to talk offline I'd be happyto answerthem. Allen Brokken Systems Security Analyst - Principal Univeristy of Missouri brokkena () missouri edu-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) Comment: Mensaje Seguro, Enviado por Juan Carlos Reyes M. iQIVAwUBQvy/k4ElKqNdrUwNAQgxhw//c/aBxhmWEZl5lisTuM4YjV7VL5ikWCzr OwwfVoV+dnAzYSio55zhGidKLh/kU9A12WdWz6a77xSZyPmsf0mVszyN0cYuf24A /jtxb9GRAdlyLii1r38FdQ2BKCl3/Wydd2Q5seyukNZMg5QggdtSPMyKwF4pkehD 7Z6Hb/M+bQjJN7zyn8L/94Kr0LJU8GK8AWCO4XB+yku5ndUOmcWF+XJrClx3qUSO FWj75d+fasRXuM8/Z9bBeCfvDlhuTh01afa68Mz2aO5uOoCooDvsAa0S9q6gre8e TDzl8okWMzudyKdJrbkW5JPb3SGvtAvcsfdRKX+qv4dbhxFnbKncghhwMgBY+2ua uZ8nieMtvjTbpPNev0VQe7nDCD0XPR6Ft9Ty1DddYY9SbIOoJAYR0oQ50zBi769i Eq0CD8++Hf4oqrBHZEkIMsotNYVTEjOcdbiP9lqd/efZ0Tcl5pZKP8qqGcUF1/D4 OUpq4JEM/N3iw0dTBPLnvIcHftE6Ou/VJAr8EFjUAw++9LBcwXKd9U5q+1j2ysBo ELRd+wpTz5dTc73nQeTjA8MNJspO82JHf8C/c0f89OlKMgDx8fcnwcV+FL8L52Od /KITItOoltULIhvFoHHWK23mWibJffu4XMN00YAwTzlC09iQMUZisdX+Jju6gsz5 Eyk0+jWqQCg= =L/PW -----END PGP SIGNATURE-----
Current thread:
- RE: Application Assessment, (continued)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)
- Re: Application Assessment Pete Herzog (Aug 13)
- Re: Application Assessment goenw (Aug 17)
- On Application Scanners (Was: Application Assessment) Mark Curphey (Aug 14)