RE: Application Assessment (Correction)

["Brokken, Allen P." <BrokkenA () missouri edu>]

I had the wrong URL for SpikeProxy

SpikeProxy can be found at http://www.immunitysec.com 

www.insecure.org is of course nmap

Sorry for any confusion.

---
Allen Brokken
IAT Services - ISAM
University of Missouri
brokkena () missouri edu

-----Original Message-----
From: Pete Herzog [mailto:lists () isecom org] 
Sent: Saturday, August 13, 2005 3:49 AM
To: secureuniverse () hushmail com
Cc: wavefront1 () shaw ca; jcreyes () etb net co; kstarkey () siegeworks com; pen-test () securityfocus com; webappsec 
() securityfocus com
Subject: Re: Application Assessment

Have you looked at Cruiser at www.dyadlabs.com?  It's touted to be the
open-source alternative to the commercial application assessors.

-pete.

secureuniverse () hushmail com wrote:
> Guys
>
> I have been a free lance writer and a research analyst and write 
> under different pen names. Usually, I don't post message on these 
> boards but all the chatter got to me. There are a number of ways to 
> assessing your applications. Besides all the open source tools, 
> there are a number of commercial tools as well as service providers 
> who can help you. Here are the pros and cons of each:
>
> Open Source
> -Nessus, Nikto, Whisker etc. - Pros - These are fee. Cons - Very 
> limited in functionality, lack of reporting, lack of support. If 
> you are serious about testing, you would use these to play with but 
> quickly move on to commerical products
>
> Commercial
> - Four key players - Cenzic, Kavado, SpiDynamics, Watchfire. These 
> points are based on feedback from various companies, journalists, 
> analysts, and indepedent evaluations.
>
> Kavado - Out of business recently 
> Watchfire - Had acquired Sanctum for web scanner. Pro - has been 
> around for a long time. Cons- Lots of false positives. Lack of 
> stability in the product
> Spidynamics - Has been around for a while. Pro - has the largest 
> installed base. Easy interface. Cons - Lots of false positives. 
> Signature based approach for most vulnerabilities
> Cenzic - Around for a while but restarted and rearchitected the 
> product two years ago. Announced the new products a few months ago. 
> Pros - Based on various input points, very different and refreshing 
> approach. Doesn't use signature base methodology. Very few false 
> positives and exteremely flexible allowing companies to create 
> their own test scripts easily. Proven even better than manual 
> testing results in many cases. Cons - Newer player with not as big 
> an installed base as other companies. 
>
> Service providers
>
>
> Various SIs - big 5 and many boutique firms who provide pen testing 
> and manual security assessments. Pros - manual testing can 
> generally provide good results depending on the caliber of the 
> consultant. Cons -Generally too expensive and time consuming
>
> Depending on your needs, you can pick one or a combination of 
> these. Good luck! 
>
> On Fri, 12 Aug 2005 12:39:11 -0700 Kyle Starkey 
> <kstarkey () siegeworks com> wrote:
>
> > I would suggest against the appscan product unless you want to use 
>
>
> > their 
> > developers addition for pre compiled code... There has been very 
> > litle 
> > r&d time/dollars being allocated to this product in the past 24 
> > months 
> > and as such it has lagged behind in functionaliy by comparison to 
> > the 
> > webinspect product.. If you only have budget for one tool I would 
> > suggest webinspect over the others...
> >
> >
> > On Fri, 12 Aug 2005 1:32 pm, RUI PEREIRA - WCG wrote:
> >
> > > Juan,
> > >
> > > Approx 1 year ago we did an evaluation between Appscan, Kavado, 
> > > WebInspect and AppDetective. We chose WebInspect for the range 
> >
> > of 
> >
> > > vulnerabilities tested for, the granularity of test selection, 
> >
> > the 
> >
> > > flexibility of use, etc. Contact me offline if you want more 
> >
> > detail on 
> >
> > > our selection process.
> > >
> > > Thank You
> > >
> > > Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA
> > > Principal Consultant
> > >
> > > WaveFront Consulting Group
> > > Certified Information Systems Security Professionals
> > >
> > > wavefront1 () shaw ca | 1 (604) 961-0701
> > >
> > >
> > > ----- Original Message -----
> > > From: Juan Carlos Reyes Muñoz <jcreyes () etb net co>
> > > Date: Friday, August 12, 2005 8:26 am
> > > Subject: RE: Application Assessment
> Allen,
>
> One question... have you ever tried Watchfire's Appscan? If 
> > > so,
> which tool
> could be better between Appscan and Webinspect?
>
> Juan Carlos Reyes Muñoz
>
> GIAC Certified Forensic Analyst - SANS Institute
> Consultor de Seguridad Informática
>
> Cel. (57) 311 513 9280
>
> Miami Mailbox
> 1900 N.W. 97th Avenue
> Suite No. 722-1971
> Miami, FL 33172
>
> Las opiniones expresadas en esta comunicación son enteramente
> personales. De
> igual manera, esta comunicación y todos sus datos adjuntos son
> confidenciales y exclusivamente para el destinatario. Si por 
> > > algún
> motivorecibe esta comunicación y usted NO es el destinatario,
> hágamelo saber
> respondiendo a este correo y por favor destruya cualquier 
> > > copia
> del mismo y
> de los datos adjuntos. Por favor tambien trate de olvidar
> cualquier cosa que
> haya leido en esta comunicación, excepto en esta parte. Está 
> > > prohibido
> cualquier uso inadecuado de esta información, así como la
> generación de
> copias de este mensaje. Gracias.
>
> The contents and thoughts included in this e-mail are 
> > > completely
> personal.This e-mail message and any attachments are 
> > > confidential
> and may be
> privileged. If you are not the intended recipient, please 
> > > notify me
> immediately by replying to this message and please destroy all
> copies of
> this message and attachments. Please also try to forget 
> > > everything
> you have
> read that was contained in this E-Mail message, except this 
> > > part.
> Misuse,copying and redistribution of this e-mail are 
> > > forbidden.
> Thank you.
>
> > -----Mensaje original-----
> > De: Brokken, Allen P. [BrokkenA () missouri edu]
> > Enviado el: Jueves, 11 de Agosto de 2005 01:43 p.m.
> > Para: Glyn Geoghegan; goenw
> > CC: pen-test () securityfocus com; Webappsec
> > Asunto: RE: Application Assessment
>
> > I am a Security Analyst for the University of Missouri -
> Columbia Campus.
> > I came from a systems administration background, and in the 
> > > past
> 18 months
> > have been tasked with application security as just part of a 
>
>
> > > greater
> > Information Systems Auditing program.
>
> > I personally have used
>
> > SpikeProxy from www.insecure.org
> > Paros, mentioned by others
> > and evaluated a handful of other Proxy/Automated Attack 
> > > Methods.
>
> > However, the best tool I've seen and the one we finally
> purchased is
> > WebInspect from SPI Dynamics
> > http://www.spidynamics.com
>
> > I did some independent test between SpikeProxy and 
> > > WebInspect on
> the a few
> > different applications.  With SpikeProxy it took basically 1
> working day
> > to run the tool, and verify false positives, look up good
> references for
> > the vulnerabilities and write the report.  The same 
> > > application with
> > WebInspect took approximately 15 minutes of my time to
> configure, and
> > generate the final report while taking about 2 hours to 
> > > actually run
> > without my intervention.  It typically found 20% more
> vulnerabilities than
> > I could find by the more manual method with SpikeProxy, and 
> > > produced
> > extensive reports that not only explained the 
> > > vulnerabilities,
> but gave
> > code references the developers could use to fix their 
> > > problem.
>
> > Those were results I got prior to training.  I got some
> extensive training
> > with the tool and on web application testing in general at
> Security-PS
> > http://www.securityps.com.  They are a Professional 
> > > Application
> Security> auditing company and they use this as their core 
> > > tool
> because of both the
> > accuracy of the tool and the responsiveness of the company.  
>
>
> > > In the
> > training I got to learn how to effectively use the a whole 
> > > suite
> of tools
> > including a Web Brute force attacker, SQL Injector, Proxy,
> Encoders /
> > Decoders, and Web Service assessment tools to name a few.
>
> > The tool is a little pricey, but I work with litterally 
> > > dozens
> of campus
> > departments and have evaluated LAMP, JAVA/ORACLE, 
> > > ASP.NET/SQL
> Server and
> > even VBScript/Access systems with the WebInspect Suite of 
> > > tools.
> The #1
> > comment I get from the developers is how helpful the report 
> > > was in
> > correcting their code. For that broad spectrum of coding
> enviroments I
> > couldn't possibly provide code level help to the developers
> without this
> > product.
>
> > We've been using it now for almost a year and the 
> > > responsiveness
> of their
> > Sales and Technial staff has been extreme.  I haven't had a
> single issue
> > that wasn't resolved in less than 24 hours.  I've also 
> > > gotten a
> lot of
> > support from their sales staff regarding application 
> > > security
> awareness> for our campus developers in general.
>
> > One last thing to mention is the updates.  I have never seen 
>
>
> > > a
> tool that
> > is so consistently updated.  I have run 2 or 3 assessments 
> > > in
> the same day
> > and had updates for new vulnerabilities made available each 
> > > time
> I ran the
> > tool.  If a week goes by without using it there can be
> litterally 100's of
> > new signatures it needs to add to the list.
>
> > If you have more questions and want to talk offline I'd be 
> > > happy
> to answer
> > them.
>
> > Allen Brokken
> > Systems Security Analyst - Principal
> > Univeristy of Missouri
> > brokkena () missouri edu
>
>
> > > >
> > >
> > >
> > > -----------------------------------------------------------------

> > -------------
> >
> > > FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That 


> > You 
> >
> > > Don't
> > >
> > > Learn the hacker's secrets that compromise wireless LANs. Secure 


> > your
> >
> > > WLAN by understanding these threats, available hacking tools and 


> > proven
> >
> > > countermeasures. Defend your WLAN against man-in-the-Middle 
> >
> > attacks and
> >
> > > session hijacking, denial-of-service, rogue access points, 
> >
> > identity
> >
> > > thefts and MAC spoofing. Request your complimentary white paper 
> >
> > at:
> >
> > > http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
> > > -----------------------------------------------------------------


> > --------------
> > Kyle Starkey
> > Senior Security Consultant
> > SiegeWorks
> > Cell: 435-962-8986




> Concerned about your privacy? Follow this link to get
> secure FREE email: http://www.hushmail.com/?l=2

> Free, ultra-private instant messaging with Hush Messenger
> http://www.hushmail.com/services-messenger?l=434

> Promote security and make money with the Hushmail Affiliate Program: 
> http://www.hushmail.com/about-affiliate?l=427


> ------------------------------------------------------------------------------
> FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

> Learn the hacker's secrets that compromise wireless LANs. Secure your
> WLAN by understanding these threats, available hacking tools and proven
> countermeasures. Defend your WLAN against man-in-the-Middle attacks and
> session hijacking, denial-of-service, rogue access points, identity
> thefts and MAC spoofing. Request your complimentary white paper at:

> http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
> -------------------------------------------------------------------------------