Re: RE: Application Assessment

[<secureuniverse () hushmail com>]

Guys

I have been a free lance writer and a research analyst and write 
under different pen names. Usually, I don't post message on these 
boards but all the chatter got to me. There are a number of ways to 
assessing your applications. Besides all the open source tools, 
there are a number of commercial tools as well as service providers 
who can help you. Here are the pros and cons of each:

Open Source
-Nessus, Nikto, Whisker etc. - Pros - These are fee. Cons - Very 
limited in functionality, lack of reporting, lack of support. If 
you are serious about testing, you would use these to play with but 
quickly move on to commerical products

Commercial
- Four key players - Cenzic, Kavado, SpiDynamics, Watchfire. These 
points are based on feedback from various companies, journalists, 
analysts, and indepedent evaluations.

Kavado - Out of business recently 
Watchfire - Had acquired Sanctum for web scanner. Pro - has been 
around for a long time. Cons- Lots of false positives. Lack of 
stability in the product
Spidynamics - Has been around for a while. Pro - has the largest 
installed base. Easy interface. Cons - Lots of false positives. 
Signature based approach for most vulnerabilities
Cenzic - Around for a while but restarted and rearchitected the 
product two years ago. Announced the new products a few months ago. 
Pros - Based on various input points, very different and refreshing 
approach. Doesn't use signature base methodology. Very few false 
positives and exteremely flexible allowing companies to create 
their own test scripts easily. Proven even better than manual 
testing results in many cases. Cons - Newer player with not as big 
an installed base as other companies. 

Service providers


Various SIs - big 5 and many boutique firms who provide pen testing 
and manual security assessments. Pros - manual testing can 
generally provide good results depending on the caliber of the 
consultant. Cons -Generally too expensive and time consuming

Depending on your needs, you can pick one or a combination of 
these. Good luck! 

On Fri, 12 Aug 2005 12:39:11 -0700 Kyle Starkey 
<kstarkey () siegeworks com> wrote:
> I would suggest against the appscan product unless you want to use 

> their 
> developers addition for pre compiled code... There has been very 
> litle 
> r&d time/dollars being allocated to this product in the past 24 
> months 
> and as such it has lagged behind in functionaliy by comparison to 
> the 
> webinspect product.. If you only have budget for one tool I would 
> suggest webinspect over the others...
>
>
> On Fri, 12 Aug 2005 1:32 pm, RUI PEREIRA - WCG wrote:
> > Juan,
> >
> > Approx 1 year ago we did an evaluation between Appscan, Kavado, 
> > WebInspect and AppDetective. We chose WebInspect for the range 
> of 
> > vulnerabilities tested for, the granularity of test selection, 
> the 
> > flexibility of use, etc. Contact me offline if you want more 
> detail on 
> > our selection process.
> >
> > Thank You
> >
> > Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA
> > Principal Consultant
> >
> > WaveFront Consulting Group
> > Certified Information Systems Security Professionals
> >
> > wavefront1 () shaw ca | 1 (604) 961-0701
> >
> >
> > ----- Original Message -----
> > From: Juan Carlos Reyes Muñoz <jcreyes () etb net co>
> > Date: Friday, August 12, 2005 8:26 am
> > Subject: RE: Application Assessment
> >
> > >  -----BEGIN PGP SIGNED MESSAGE-----
> > >  Hash: SHA256
> > >
> > >  Allen,
> > >
> > >  One question... have you ever tried Watchfire's Appscan? If 
> so,
> > >  which tool
> > >  could be better between Appscan and Webinspect?
> > >
> > >  Juan Carlos Reyes Muñoz
> > >
> > >  GIAC Certified Forensic Analyst - SANS Institute
> > >  Consultor de Seguridad Informática
> > >
> > >  Cel. (57) 311 513 9280
> > >
> > >  Miami Mailbox
> > >  1900 N.W. 97th Avenue
> > >  Suite No. 722-1971
> > >  Miami, FL 33172
> > >
> > >  Las opiniones expresadas en esta comunicación son enteramente
> > >  personales. De
> > >  igual manera, esta comunicación y todos sus datos adjuntos son
> > >  confidenciales y exclusivamente para el destinatario. Si por 
> algún
> > >  motivorecibe esta comunicación y usted NO es el destinatario,
> > >  hágamelo saber
> > >  respondiendo a este correo y por favor destruya cualquier 
> copia
> > >  del mismo y
> > >  de los datos adjuntos. Por favor tambien trate de olvidar
> > >  cualquier cosa que
> > >  haya leido en esta comunicación, excepto en esta parte. Está 
> prohibido
> > >  cualquier uso inadecuado de esta información, así como la
> > >  generación de
> > >  copias de este mensaje. Gracias.
> > >
> > >  The contents and thoughts included in this e-mail are 
> completely
> > >  personal.This e-mail message and any attachments are 
> confidential
> > >  and may be
> > >  privileged. If you are not the intended recipient, please 
> notify me
> > >  immediately by replying to this message and please destroy all
> > >  copies of
> > >  this message and attachments. Please also try to forget 
> everything
> > >  you have
> > >  read that was contained in this E-Mail message, except this 
> part.
> > >  Misuse,copying and redistribution of this e-mail are 
> forbidden.
> > >  Thank you.
> > >
> > >  > -----Mensaje original-----
> > >  > De: Brokken, Allen P. [BrokkenA () missouri edu]
> > >  > Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m.
> > >  > Para: Glyn Geoghegan; goenw
> > >  > CC: pen-test () securityfocus com; Webappsec
> > >  > Asunto: RE: Application Assessment
> > >  >
> > >  > I am a Security Analyst for the University of Missouri -
> > >  Columbia Campus.
> > >  > I came from a systems administration background, and in the 
> past
> > >  18 months
> > >  > have been tasked with application security as just part of a 

> greater
> > >  > Information Systems Auditing program.
> > >  >
> > >  > I personally have used
> > >  >
> > >  > SpikeProxy from www.insecure.org
> > >  > Paros, mentioned by others
> > >  > and evaluated a handful of other Proxy/Automated Attack 
> Methods.
> > >  >
> > >  > However, the best tool I've seen and the one we finally
> > >  purchased is
> > >  > WebInspect from SPI Dynamics
> > >  > http://www.spidynamics.com
> > >  >
> > >  > I did some independent test between SpikeProxy and 
> WebInspect on
> > >  the a few
> > >  > different applications.  With SpikeProxy it took basically 1
> > >  working day
> > >  > to run the tool, and verify false positives, look up good
> > >  references for
> > >  > the vulnerabilities and write the report.  The same 
> application with
> > >  > WebInspect took approximately 15 minutes of my time to
> > >  configure, and
> > >  > generate the final report while taking about 2 hours to 
> actually run
> > >  > without my intervention.  It typically found 20% more
> > >  vulnerabilities than
> > >  > I could find by the more manual method with SpikeProxy, and 
> produced
> > >  > extensive reports that not only explained the 
> vulnerabilities,
> > >  but gave
> > >  > code references the developers could use to fix their 
> problem.
> > >  >
> > >  > Those were results I got prior to training.  I got some
> > >  extensive training
> > >  > with the tool and on web application testing in general at
> > >  Security-PS
> > >  > http://www.securityps.com.  They are a Professional 
> Application
> > >  Security> auditing company and they use this as their core 
> tool
> > >  because of both the
> > >  > accuracy of the tool and the responsiveness of the company.  

> In the
> > >  > training I got to learn how to effectively use the a whole 
> suite
> > >  of tools
> > >  > including a Web Brute force attacker, SQL Injector, Proxy,
> > >  Encoders /
> > >  > Decoders, and Web Service assessment tools to name a few.
> > >  >
> > >  > The tool is a little pricey, but I work with litterally 
> dozens
> > >  of campus
> > >  > departments and have evaluated LAMP, JAVA/ORACLE, 
> ASP.NET/SQL
> > >  Server and
> > >  > even VBScript/Access systems with the WebInspect Suite of 
> tools.
> > >  The #1
> > >  > comment I get from the developers is how helpful the report 
> was in
> > >  > correcting their code. For that broad spectrum of coding
> > >  enviroments I
> > >  > couldn't possibly provide code level help to the developers
> > >  without this
> > >  > product.
> > >  >
> > >  > We've been using it now for almost a year and the 
> responsiveness
> > >  of their
> > >  > Sales and Technial staff has been extreme.  I haven't had a
> > >  single issue
> > >  > that wasn't resolved in less than 24 hours.  I've also 
> gotten a
> > >  lot of
> > >  > support from their sales staff regarding application 
> security
> > >  awareness> for our campus developers in general.
> > >  >
> > >  > One last thing to mention is the updates.  I have never seen 

> a
> > >  tool that
> > >  > is so consistently updated.  I have run 2 or 3 assessments 
> in
> > >  the same day
> > >  > and had updates for new vulnerabilities made available each 
> time
> > >  I ran the
> > >  > tool.  If a week goes by without using it there can be
> > >  litterally 100's of
> > >  > new signatures it needs to add to the list.
> > >  >
> > >  > If you have more questions and want to talk offline I'd be 
> happy
> > >  to answer
> > >  > them.
> > >  >
> > >  > Allen Brokken
> > >  > Systems Security Analyst - Principal
> > >  > Univeristy of Missouri
> > >  > brokkena () missouri edu
> > >
> > >
> > >  -----BEGIN PGP SIGNATURE-----
> > >  Version: PGP Desktop 9.0.1 (Build 2185)
> > >  Comment: Mensaje Seguro, Enviado por Juan Carlos Reyes M.
> > >
> > >  
> iQIVAwUBQvy/k4ElKqNdrUwNAQgxhw//c/aBxhmWEZl5lisTuM4YjV7VL5ikWCzr
> > >  
> OwwfVoV+dnAzYSio55zhGidKLh/kU9A12WdWz6a77xSZyPmsf0mVszyN0cYuf24A
> > >  
> /jtxb9GRAdlyLii1r38FdQ2BKCl3/Wydd2Q5seyukNZMg5QggdtSPMyKwF4pkehD
> > >  
> 7Z6Hb/M+bQjJN7zyn8L/94Kr0LJU8GK8AWCO4XB+yku5ndUOmcWF+XJrClx3qUSO
> > >  
> FWj75d+fasRXuM8/Z9bBeCfvDlhuTh01afa68Mz2aO5uOoCooDvsAa0S9q6gre8e
> > >  
> TDzl8okWMzudyKdJrbkW5JPb3SGvtAvcsfdRKX+qv4dbhxFnbKncghhwMgBY+2ua
> > >  
> uZ8nieMtvjTbpPNev0VQe7nDCD0XPR6Ft9Ty1DddYY9SbIOoJAYR0oQ50zBi769i
> > >  
> Eq0CD8++Hf4oqrBHZEkIMsotNYVTEjOcdbiP9lqd/efZ0Tcl5pZKP8qqGcUF1/D4
> > >  
> OUpq4JEM/N3iw0dTBPLnvIcHftE6Ou/VJAr8EFjUAw++9LBcwXKd9U5q+1j2ysBo
> > >  
> ELRd+wpTz5dTc73nQeTjA8MNJspO82JHf8C/c0f89OlKMgDx8fcnwcV+FL8L52Od
> > >  
> /KITItOoltULIhvFoHHWK23mWibJffu4XMN00YAwTzlC09iQMUZisdX+Jju6gsz5
> > >  Eyk0+jWqQCg=
> > >  =L/PW
> > >  -----END PGP SIGNATURE-----
> >
> >
> > -----------------------------------------------------------------

> -------------
> > FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That 

> You 
> > Don't
> >
> > Learn the hacker's secrets that compromise wireless LANs. Secure 

> your
> > WLAN by understanding these threats, available hacking tools and 

> proven
> > countermeasures. Defend your WLAN against man-in-the-Middle 
> attacks and
> > session hijacking, denial-of-service, rogue access points, 
> identity
> > thefts and MAC spoofing. Request your complimentary white paper 
> at:
> > http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
> > -----------------------------------------------------------------

> --------------
> Kyle Starkey
> Senior Security Consultant
> SiegeWorks
> Cell: 435-962-8986



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427