RE: Top webapp pentesting vendors?

["Erin Carroll" <amoeba () amoebazone com>]

I'll keep this to vendors since I don't want to pimp my own company for the
consulting portion of the question (trying to keep this advice neutral...
but if you want to contact me off-list we kick ass in this area. Just
sayin'... *grin*)

I've used SPI Dynamic's WebInspect many times in the past both as an
engagement-based license and as an annual purchase customer and can attest
that the product is top notch. SPI was bought by HP so it's HP WebInspect
now.

Watchfire's AppScan is also an excellent product. With the newest release
you have the ability to use external modules/apps for various call-out
purposes or data dumps so it provides a fairly nice framework workspace with
a lot of flexibility and extension. I don't have as much hands-on with their
newest as WebInspect but they have consistently been solid.

Others have mentioned vendors to look into but you have to realize that
without some in-house expertise to get the best ROI and performance from
these tools you're only going to catch the low-hanging fruit. If your
application environment is very complex automated tools will only get you so
far and will miss a lot. If these are major concerns then you may be better
off going with a services solution provider that specializes in the area.
You don't specify if this is compliance driven which is another factor to
consider. Some consulting shops will provide great results from a
vulnerability assessment viewpoint but may not be able to adequately address
compliance or auditing concerns.

Hope you find the info you are looking for,


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba () amoebazone com
"Do Not Taunt Happy-Fun Ball"





-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of David Barnett
Sent: Tuesday, April 08, 2008 7:09 PM
To: webappsec () securityfocus com; billbrietstout () yahoo com
Subject: Re: Top webapp pentesting vendors?

I would not consider Trustwave for any web application testing. They
are a PCI shop.
I highly recommend WhiteHat. Everyone there really knows this area.
Also, Spidynamics, or even Cybertrust,


On Mon, Apr 7, 2008 at 10:36 PM, Clint P. Garrison
<garrison.clint () gmail com> wrote:
> I would look at Trustwave. They specialize in e-commerce web applications
>  security, including pen-testing and code reviews.
https://www.trustwave.com
>  Send me your contact information and I can get you in touch with the
right
>  people to answer any questions you may have.
>
>  Clint P. Garrison
>  MBA, MS, CISSP, QSA
>
>
>
>  -----Original Message-----
>  From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
>  Behalf Of Bill Stout
>  Sent: Monday, April 07, 2008 6:56 PM
>  To: webappsec () securityfocus com
>  Subject: Top webapp pentesting vendors?
>
>  Hello All,
>  I'm not sure if this is an appropriate question for the list, but who are
>  the top consulting companies or vendors for webapp security?
>  Specifically, I'm searching for consulting orgs that can audit a complex
web
>  site with some ecommerce functions.
>  Thanks,
>  Bill Stout
>
>  -------------------------------------------------------------------------
>  Sponsored by: Watchfire
>  Methodologies & Tools for Web Application Security Assessment
>  With the rapid rise in the number and types of security threats, web
>  application security assessments should be considered a crucial phase in
the
>  development of any web application. What methodology should be followed?
>  What tools can accelerate the assessment process? Download this
Whitepaper
>  today!
>
>  https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
>  -------------------------------------------------------------------------
>
>
>
>  -------------------------------------------------------------------------
>  Sponsored by: Watchfire
>  Methodologies & Tools for Web Application Security Assessment
>  With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today!
>  https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
>  -------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------