Re: Comparison report on web app security scanners now translated to English

[Rogan Dawes <rogan () dawes za net>]

Holger.Peine () iese fraunhofer de wrote:
> On May 5th, I posted the URL for a comparison report on web app security
> scanners
> to this list:
> http://fhgonline.fraunhofer.de/server?suche-publica&num=048.06/D&iese
> Here is what I wrote about the contents of the report at that time:
> "As I had mentioned in another posting to this list some time ago,
> a few months ago I completed a fairly extensive review of various
> tools: AppScan, WebInspect, Acunetix, (note AppScan and WebInspect
> have produced new versions since then), Burp, WebScarab, Spike Proxy, 
> and some minor remarks on a few other tools. I used two applications as 
> benchmarks: WebGoat and a proprietary application in production use. 
> The report totals to about 170 pages."
>
> However, at that time in May, there was no English translation of the
> German 
> original, which many people have asked for meanwhile. Yesterday, I was 
> surprised to hear that Cenzic Inc. have had the report translated. So
> here is 
> the English version now, a bit rough on the edges, but you will
> certainly
> get the picture:
> http://www.iese.fraunhofer.de/download/Security-Checker-Tools-for-Web-Ap
> plications.pdf
> (that link will be valid for four weeks from today).
>
> My thanks go to Cenzic for this contribution to the community.
>
> Kind regards,
> Holger Peine


Hi Holger,

I read with interest the translated version of your document. One thing 
that amused me a lot is the report of how Spike Proxy supports VulnXML.

In fact, the 1500-odd VulnXML tests that SpikeProxy ships with were 
actually created by myself from the Nikto database available at the 
time, using a simple script. I doubt that they have been updated since 
then (although I have not checked).

You might wonder why WebScarab never implemented the VulnXML tests, 
since I created the specification. In fact, I concluded that in order to 
achieve a meaningful spectrum of tests using VulnXML, we would have to 
define and implement a near-Turing-complete language. XML is clearly not 
the right tool for such a task, and so the effort languished and died.

To summarise, a tester would get better results by using an up-to-date 
version of Nikto, rather than relying on the VulnXML tests in Spike 
Proxy. (assuming they were not updated and extended from the original 
set created)

Regards,

Rogan Dawes

P.S. Thanks a lot for your work in comparing these tools. I can see that 
you went to a lot of effort to test them, and your/Fraunhofer's 
publishing of the results to the broader community is much appreciated!

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose 
AppScan then any other solution. Try it today!
 
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------