Re: Spi's products worth a try? CENZIC BUSTED

[Super App Master One <superappmasterzero () gmail com>]

Normally these types of threads spiral downward quickly, but this one
contained something not to be missed.

- The thread started out as a simple question about impressions
towards SPI's scanning tool.
(These are good discussion topics when conducted properly.)

- Shortly thereafter Phil Pavay from Cenzic, and scanner competitor
posts the following.
"I am a participant in this email list and very much appreciate the
technical content and learned opinions and research discussed within
these topics. I am also under the impression (and would like the
moderator to clarify) that this is not a marketing and sales tool for
the vendors. "

An innocent post to be sure.

- A few posts later, the mysterious and never before seen App Master
(appmasterzero () hotmail com) pulls out what can be described as a
lengthy pro-Cenzic marketing email. We saw it for what it was.

(Moderators have a hard job determining if a posts like this should
be allowed with the risk of limiting what could be the opinions of
real people. Andrew, keep up the good work.)

- Here's where it gets interesting. What App Master may not know is
that web mail providers (like Hotmail) typically send a "X-
Originating-Ip" email headers letting the world know who you are or
where you came from. Header from App Master's post in question:

X-Originating-Ip:     [64.60.123.42]

Trusty nslookup reveals:

$ nslookup 64.60.123.42
Non-authoritative answer:
42.123.60.64.in-addr.arpa       canonical name =
42.40/29.123.60.64.in-addr.arpa.
42.40/29.123.60.64.in-addr.arpa name = gate.cenzic.com.

Thats right, none other than Cenzic. Perhaps Phil got a little
jealous when the topic was really "impressions towards SPI's scanning
tool".

There you have it boys, girls, and especially over anxious marketing
people. When you try to be clever, make sure you know what your doing
or you risk some humiliation. This type of behavior is exactly why
the list charter is how it is.


Super Appman Zero.




On Nov 7, 2005, at 1:04 PM, App Master wrote:

> Aman,
>
> Cenzic's Hailstorm has also recieved great reviews. In my
> experience its the most accurate tool available for auditing a web
> application for security vulnerabilities. Gives you lots of
> control. It would  be very useful for your developers to use to
> scan their applications. Hailstorm itself doesn't do source code
> scanning, but it excells in statefully testing a web application
> for vulnerability, and in this regard, you fill find its results
> reliable and second to none.
>
> Please allow me to explain:
>
> When you manually test an application, its time consuming, but it
> has the advantage of greater accuracy than you ordinarily get out
> of an ordinary off-the-shelf "App Scanner."  You see, a lot of
> security products are just like machine guns that fire strings at
> an application and then grep the HTML for another response string.
> This is the reason that after you run them it takes so long to
> verify if the results are correct or not, because its mostly pure
> signature matching -- stateless -- of raw HTML and server response
> codes, without any visibility as to what is occuring in the browser
> (at the application level), or if the application is causally or
> statefully affected by injected values.
>
> Hailstorm does it differently, using what you might think of as
> active payloads. It monitors what each injected payload does and
> then monitors browser memory (it uses a baked-in version of
> Mozilla) to trap when code or events execute in the application
> space as a result of its actions. This is a world of difference
> between other black-box tools. Hailstorm also uses fairly advanced
> AI when it comes to analyzing server behavior: heuristics, causal
> and behavior triggers, a significant number of configuration
> options for advanced tuning. I like it because it gives me better,
> more accurate, more actionable, results. Period. I am certain it
> would benefit your team.
>
> Check it out at: www.cenzic.com
>
> Thanks
>
> Appman Zero