WebApp Sec mailing list archives
Re: RE: Application Assessment
From: <secureuniverse () hushmail com>
Date: Fri, 12 Aug 2005 18:38:41 -0700
Guys I have been a free lance writer and a research analyst and write under different pen names. Usually, I don't post message on these boards but all the chatter got to me. There are a number of ways to assessing your applications. Besides all the open source tools, there are a number of commercial tools as well as service providers who can help you. Here are the pros and cons of each: Open Source -Nessus, Nikto, Whisker etc. - Pros - These are fee. Cons - Very limited in functionality, lack of reporting, lack of support. If you are serious about testing, you would use these to play with but quickly move on to commerical products Commercial - Four key players - Cenzic, Kavado, SpiDynamics, Watchfire. These points are based on feedback from various companies, journalists, analysts, and indepedent evaluations. Kavado - Out of business recently Watchfire - Had acquired Sanctum for web scanner. Pro - has been around for a long time. Cons- Lots of false positives. Lack of stability in the product Spidynamics - Has been around for a while. Pro - has the largest installed base. Easy interface. Cons - Lots of false positives. Signature based approach for most vulnerabilities Cenzic - Around for a while but restarted and rearchitected the product two years ago. Announced the new products a few months ago. Pros - Based on various input points, very different and refreshing approach. Doesn't use signature base methodology. Very few false positives and exteremely flexible allowing companies to create their own test scripts easily. Proven even better than manual testing results in many cases. Cons - Newer player with not as big an installed base as other companies. Service providers Various SIs - big 5 and many boutique firms who provide pen testing and manual security assessments. Pros - manual testing can generally provide good results depending on the caliber of the consultant. Cons -Generally too expensive and time consuming Depending on your needs, you can pick one or a combination of these. Good luck! On Fri, 12 Aug 2005 12:39:11 -0700 Kyle Starkey <kstarkey () siegeworks com> wrote:
I would suggest against the appscan product unless you want to use
their developers addition for pre compiled code... There has been very litle r&d time/dollars being allocated to this product in the past 24 months and as such it has lagged behind in functionaliy by comparison to the webinspect product.. If you only have budget for one tool I would suggest webinspect over the others... On Fri, 12 Aug 2005 1:32 pm, RUI PEREIRA - WCG wrote:Juan, Approx 1 year ago we did an evaluation between Appscan, Kavado, WebInspect and AppDetective. We chose WebInspect for the rangeofvulnerabilities tested for, the granularity of test selection,theflexibility of use, etc. Contact me offline if you want moredetail onour selection process. Thank You Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA Principal Consultant WaveFront Consulting Group Certified Information Systems Security Professionals wavefront1 () shaw ca | 1 (604) 961-0701 ----- Original Message ----- From: Juan Carlos Reyes Muñoz <jcreyes () etb net co> Date: Friday, August 12, 2005 8:26 am Subject: RE: Application Assessment-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen, One question... have you ever tried Watchfire's Appscan? Ifso,which tool could be better between Appscan and Webinspect? Juan Carlos Reyes Muñoz GIAC Certified Forensic Analyst - SANS Institute Consultor de Seguridad Informática Cel. (57) 311 513 9280 Miami Mailbox 1900 N.W. 97th Avenue Suite No. 722-1971 Miami, FL 33172 Las opiniones expresadas en esta comunicación son enteramente personales. De igual manera, esta comunicación y todos sus datos adjuntos son confidenciales y exclusivamente para el destinatario. Si poralgúnmotivorecibe esta comunicación y usted NO es el destinatario, hágamelo saber respondiendo a este correo y por favor destruya cualquiercopiadel mismo y de los datos adjuntos. Por favor tambien trate de olvidar cualquier cosa que haya leido en esta comunicación, excepto en esta parte. Estáprohibidocualquier uso inadecuado de esta información, así como la generación de copias de este mensaje. Gracias. The contents and thoughts included in this e-mail arecompletelypersonal.This e-mail message and any attachments areconfidentialand may be privileged. If you are not the intended recipient, pleasenotify meimmediately by replying to this message and please destroy all copies of this message and attachments. Please also try to forgeteverythingyou have read that was contained in this E-Mail message, except thispart.Misuse,copying and redistribution of this e-mail areforbidden.Thank you. > -----Mensaje original----- > De: Brokken, Allen P. [BrokkenA () missouri edu] > Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m. > Para: Glyn Geoghegan; goenw > CC: pen-test () securityfocus com; Webappsec > Asunto: RE: Application Assessment > > I am a Security Analyst for the University of Missouri - Columbia Campus. > I came from a systems administration background, and in thepast18 months > have been tasked with application security as just part of a
greater> Information Systems Auditing program. > > I personally have used > > SpikeProxy from www.insecure.org > Paros, mentioned by others > and evaluated a handful of other Proxy/Automated AttackMethods.> > However, the best tool I've seen and the one we finally purchased is > WebInspect from SPI Dynamics > http://www.spidynamics.com > > I did some independent test between SpikeProxy andWebInspect onthe a few > different applications. With SpikeProxy it took basically 1 working day > to run the tool, and verify false positives, look up good references for > the vulnerabilities and write the report. The sameapplication with> WebInspect took approximately 15 minutes of my time to configure, and > generate the final report while taking about 2 hours toactually run> without my intervention. It typically found 20% more vulnerabilities than > I could find by the more manual method with SpikeProxy, andproduced> extensive reports that not only explained thevulnerabilities,but gave > code references the developers could use to fix theirproblem.> > Those were results I got prior to training. I got some extensive training > with the tool and on web application testing in general at Security-PS > http://www.securityps.com. They are a ProfessionalApplicationSecurity> auditing company and they use this as their coretoolbecause of both the > accuracy of the tool and the responsiveness of the company.
In the> training I got to learn how to effectively use the a wholesuiteof tools > including a Web Brute force attacker, SQL Injector, Proxy, Encoders / > Decoders, and Web Service assessment tools to name a few. > > The tool is a little pricey, but I work with litterallydozensof campus > departments and have evaluated LAMP, JAVA/ORACLE,ASP.NET/SQLServer and > even VBScript/Access systems with the WebInspect Suite oftools.The #1 > comment I get from the developers is how helpful the reportwas in> correcting their code. For that broad spectrum of coding enviroments I > couldn't possibly provide code level help to the developers without this > product. > > We've been using it now for almost a year and theresponsivenessof their > Sales and Technial staff has been extreme. I haven't had a single issue > that wasn't resolved in less than 24 hours. I've alsogotten alot of > support from their sales staff regarding applicationsecurityawareness> for our campus developers in general. > > One last thing to mention is the updates. I have never seen
atool that > is so consistently updated. I have run 2 or 3 assessmentsinthe same day > and had updates for new vulnerabilities made available eachtimeI ran the > tool. If a week goes by without using it there can be litterally 100's of > new signatures it needs to add to the list. > > If you have more questions and want to talk offline I'd behappyto answer > them. > > Allen Brokken > Systems Security Analyst - Principal > Univeristy of Missouri > brokkena () missouri edu -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) Comment: Mensaje Seguro, Enviado por Juan Carlos Reyes M.iQIVAwUBQvy/k4ElKqNdrUwNAQgxhw//c/aBxhmWEZl5lisTuM4YjV7VL5ikWCzrOwwfVoV+dnAzYSio55zhGidKLh/kU9A12WdWz6a77xSZyPmsf0mVszyN0cYuf24A/jtxb9GRAdlyLii1r38FdQ2BKCl3/Wydd2Q5seyukNZMg5QggdtSPMyKwF4pkehD7Z6Hb/M+bQjJN7zyn8L/94Kr0LJU8GK8AWCO4XB+yku5ndUOmcWF+XJrClx3qUSOFWj75d+fasRXuM8/Z9bBeCfvDlhuTh01afa68Mz2aO5uOoCooDvsAa0S9q6gre8eTDzl8okWMzudyKdJrbkW5JPb3SGvtAvcsfdRKX+qv4dbhxFnbKncghhwMgBY+2uauZ8nieMtvjTbpPNev0VQe7nDCD0XPR6Ft9Ty1DddYY9SbIOoJAYR0oQ50zBi769iEq0CD8++Hf4oqrBHZEkIMsotNYVTEjOcdbiP9lqd/efZ0Tcl5pZKP8qqGcUF1/D4OUpq4JEM/N3iw0dTBPLnvIcHftE6Ou/VJAr8EFjUAw++9LBcwXKd9U5q+1j2ysBoELRd+wpTz5dTc73nQeTjA8MNJspO82JHf8C/c0f89OlKMgDx8fcnwcV+FL8L52Od/KITItOoltULIhvFoHHWK23mWibJffu4XMN00YAwTzlC09iQMUZisdX+Jju6gsz5Eyk0+jWqQCg= =L/PW -----END PGP SIGNATURE----------------------------------------------------------------------
-------------FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That
YouDon't Learn the hacker's secrets that compromise wireless LANs. Secure
yourWLAN by understanding these threats, available hacking tools and
provencountermeasures. Defend your WLAN against man-in-the-Middleattacks andsession hijacking, denial-of-service, rogue access points,identitythefts and MAC spoofing. Request your complimentary white paperat:http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -----------------------------------------------------------------
-------------- Kyle Starkey Senior Security Consultant SiegeWorks Cell: 435-962-8986
Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Current thread:
- Re: Application Assessment, (continued)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- RE: Application Assessment Ashley Vandiver (Aug 11)
- RE: Application Assessment Brokken, Allen P. (Aug 11)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- RE: Application Assessment Juan Carlos Reyes Muñoz (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- Re: RE: Application Assessment RUI PEREIRA - WCG (Aug 12)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)
- RE: Application Assessment Tom Stracener (Aug 12)
- Re: RE: Application Assessment secureuniverse (Aug 12)
- Re: Application Assessment Pete Herzog (Aug 13)
- RE: Application Assessment Michael Gargiullo (Aug 12)
- Re: Application Assessment goenw (Aug 17)
- RE: RE: Application Assessment Ory Segal (Aug 13)
- On Application Scanners (Was: Application Assessment) Mark Curphey (Aug 14)
- Re: Application Assessment secureuniverse (Aug 15)