WebApp Sec mailing list archives
RE: Application Assessment (Correction)
From: "Brokken, Allen P." <BrokkenA () missouri edu>
Date: Mon, 15 Aug 2005 13:22:35 -0500
I had the wrong URL for SpikeProxy SpikeProxy can be found at http://www.immunitysec.com www.insecure.org is of course nmap Sorry for any confusion. --- Allen Brokken IAT Services - ISAM University of Missouri brokkena () missouri edu -----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Saturday, August 13, 2005 3:49 AM To: secureuniverse () hushmail com Cc: wavefront1 () shaw ca; jcreyes () etb net co; kstarkey () siegeworks com; pen-test () securityfocus com; webappsec () securityfocus com Subject: Re: Application Assessment Have you looked at Cruiser at www.dyadlabs.com? It's touted to be the open-source alternative to the commercial application assessors. -pete. secureuniverse () hushmail com wrote:
Guys I have been a free lance writer and a research analyst and write under different pen names. Usually, I don't post message on these boards but all the chatter got to me. There are a number of ways to assessing your applications. Besides all the open source tools, there are a number of commercial tools as well as service providers who can help you. Here are the pros and cons of each: Open Source -Nessus, Nikto, Whisker etc. - Pros - These are fee. Cons - Very limited in functionality, lack of reporting, lack of support. If you are serious about testing, you would use these to play with but quickly move on to commerical products Commercial - Four key players - Cenzic, Kavado, SpiDynamics, Watchfire. These points are based on feedback from various companies, journalists, analysts, and indepedent evaluations. Kavado - Out of business recently Watchfire - Had acquired Sanctum for web scanner. Pro - has been around for a long time. Cons- Lots of false positives. Lack of stability in the product Spidynamics - Has been around for a while. Pro - has the largest installed base. Easy interface. Cons - Lots of false positives. Signature based approach for most vulnerabilities Cenzic - Around for a while but restarted and rearchitected the product two years ago. Announced the new products a few months ago. Pros - Based on various input points, very different and refreshing approach. Doesn't use signature base methodology. Very few false positives and exteremely flexible allowing companies to create their own test scripts easily. Proven even better than manual testing results in many cases. Cons - Newer player with not as big an installed base as other companies. Service providers Various SIs - big 5 and many boutique firms who provide pen testing and manual security assessments. Pros - manual testing can generally provide good results depending on the caliber of the consultant. Cons -Generally too expensive and time consuming Depending on your needs, you can pick one or a combination of these. Good luck! On Fri, 12 Aug 2005 12:39:11 -0700 Kyle Starkey <kstarkey () siegeworks com> wrote:I would suggest against the appscan product unless you want to usetheir developers addition for pre compiled code... There has been very litle r&d time/dollars being allocated to this product in the past 24 months and as such it has lagged behind in functionaliy by comparison to the webinspect product.. If you only have budget for one tool I would suggest webinspect over the others... On Fri, 12 Aug 2005 1:32 pm, RUI PEREIRA - WCG wrote:Juan, Approx 1 year ago we did an evaluation between Appscan, Kavado, WebInspect and AppDetective. We chose WebInspect for the rangeofvulnerabilities tested for, the granularity of test selection,theflexibility of use, etc. Contact me offline if you want moredetail onour selection process. Thank You Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA Principal Consultant WaveFront Consulting Group Certified Information Systems Security Professionals wavefront1 () shaw ca | 1 (604) 961-0701 ----- Original Message ----- From: Juan Carlos Reyes Muñoz <jcreyes () etb net co> Date: Friday, August 12, 2005 8:26 am Subject: RE: Application AssessmentAllen, One question... have you ever tried Watchfire's Appscan? Ifso,which tool could be better between Appscan and Webinspect? Juan Carlos Reyes Muñoz GIAC Certified Forensic Analyst - SANS Institute Consultor de Seguridad Informática Cel. (57) 311 513 9280 Miami Mailbox 1900 N.W. 97th Avenue Suite No. 722-1971 Miami, FL 33172 Las opiniones expresadas en esta comunicación son enteramente personales. De igual manera, esta comunicación y todos sus datos adjuntos son confidenciales y exclusivamente para el destinatario. Si poralgúnmotivorecibe esta comunicación y usted NO es el destinatario, hágamelo saber respondiendo a este correo y por favor destruya cualquiercopiadel mismo y de los datos adjuntos. Por favor tambien trate de olvidar cualquier cosa que haya leido en esta comunicación, excepto en esta parte. Estáprohibidocualquier uso inadecuado de esta información, así como la generación de copias de este mensaje. Gracias. The contents and thoughts included in this e-mail arecompletelypersonal.This e-mail message and any attachments areconfidentialand may be privileged. If you are not the intended recipient, pleasenotify meimmediately by replying to this message and please destroy all copies of this message and attachments. Please also try to forgeteverythingyou have read that was contained in this E-Mail message, except thispart.Misuse,copying and redistribution of this e-mail areforbidden.Thank you.-----Mensaje original----- De: Brokken, Allen P. [BrokkenA () missouri edu] Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m. Para: Glyn Geoghegan; goenw CC: pen-test () securityfocus com; Webappsec Asunto: RE: Application AssessmentI am a Security Analyst for the University of Missouri -Columbia Campus.I came from a systems administration background, and in thepast18 monthshave been tasked with application security as just part of agreaterInformation Systems Auditing program.I personally have usedSpikeProxy from www.insecure.org Paros, mentioned by others and evaluated a handful of other Proxy/Automated AttackMethods.However, the best tool I've seen and the one we finallypurchased isWebInspect from SPI Dynamics http://www.spidynamics.comI did some independent test between SpikeProxy andWebInspect onthe a fewdifferent applications. With SpikeProxy it took basically 1working dayto run the tool, and verify false positives, look up goodreferences forthe vulnerabilities and write the report. The sameapplication withWebInspect took approximately 15 minutes of my time toconfigure, andgenerate the final report while taking about 2 hours toactually runwithout my intervention. It typically found 20% morevulnerabilities thanI could find by the more manual method with SpikeProxy, andproducedextensive reports that not only explained thevulnerabilities,but gavecode references the developers could use to fix theirproblem.Those were results I got prior to training. I got someextensive trainingwith the tool and on web application testing in general atSecurity-PShttp://www.securityps.com. They are a ProfessionalApplicationSecurity> auditing company and they use this as their coretoolbecause of both theaccuracy of the tool and the responsiveness of the company.In thetraining I got to learn how to effectively use the a wholesuiteof toolsincluding a Web Brute force attacker, SQL Injector, Proxy,Encoders /Decoders, and Web Service assessment tools to name a few.The tool is a little pricey, but I work with litterallydozensof campusdepartments and have evaluated LAMP, JAVA/ORACLE,ASP.NET/SQLServer andeven VBScript/Access systems with the WebInspect Suite oftools.The #1comment I get from the developers is how helpful the reportwas incorrecting their code. For that broad spectrum of codingenviroments Icouldn't possibly provide code level help to the developerswithout thisproduct.We've been using it now for almost a year and theresponsivenessof theirSales and Technial staff has been extreme. I haven't had asingle issuethat wasn't resolved in less than 24 hours. I've alsogotten alot ofsupport from their sales staff regarding applicationsecurityawareness> for our campus developers in general.One last thing to mention is the updates. I have never seenatool thatis so consistently updated. I have run 2 or 3 assessmentsinthe same dayand had updates for new vulnerabilities made available eachtimeI ran thetool. If a week goes by without using it there can belitterally 100's ofnew signatures it needs to add to the list.If you have more questions and want to talk offline I'd behappyto answerthem.Allen Brokken Systems Security Analyst - Principal Univeristy of Missouri brokkena () missouri edu-----------------------------------------------------------------
-------------FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That
YouDon't Learn the hacker's secrets that compromise wireless LANs. Secure
yourWLAN by understanding these threats, available hacking tools and
provencountermeasures. Defend your WLAN against man-in-the-Middleattacks andsession hijacking, denial-of-service, rogue access points,identitythefts and MAC spoofing. Request your complimentary white paperat:http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -----------------------------------------------------------------
-------------- Kyle Starkey Senior Security Consultant SiegeWorks Cell: 435-962-8986
Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- RE: Application Assessment (Correction) Brokken, Allen P. (Aug 15)