RE: Good benchmark application for web security testing tools?

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

--comments inline--

> -----Original Message-----
> From: Steven Rebello [mailto:stevenr () mastek com] 
>
> How about Foundstone's HacmeBank
> (www.foundstone.com/resources/proddesc/hacmebank.htm) ? Anyone tried
> this application for benchmarking ? 

Yes. This is not a very good application for benchmarking.

The only good applications for benchmarking currently are
the applications you are going to run the scanner on.

The scan tools can vary wildly on different apps.

I am scrambling to update my tools presentation for OWASP/NIST
DC and I'll talk there more why the above is true, and examine
some differences and failings in the scanner contenders versus
human eyeballs, even on the stuff that should be *automatable*.

God help you if my slides make any sense and you don't attend
the presentation, but for amusement's sake they will be available
so you can download them and give them a spin after the conf.

I actually have a fair bit of the info in HTML I will try to
get on the portal for conference release.

I would like to introduce something "tangible" at OWASP/DC
like the brilliant OWASP Guide PDF, minus the brilliance & PDF.

Benchmarking,

-ae