Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Of the three expensive vulnerability scanners

from [Tom Stracener] Network Security [Permanent Link]
Subject: Re: Of the three expensive vulnerability scanners
Date: 10 Oct 2004 19:45:05 -0000 
In-Reply-To: <20041007153115.28058.qmail@www.securityfocus.com>

Hi! I sought to answer this question for myself a while back, so hopefully 
you'll find my own experiences here useful. First, consider
the types of applications and the application environment you will be
securing. Depending upon the complexity of the web application you're
dealing with, your likely to get quick diminishing returns from the tools you 
have mentioned. Strong manual testing capabilities are a must, in my opinion, 
and sadly a lot of commercial apps fall short there.

When possible, you should contact the vendors and acquire a demo license in 
order to get a feel for how a tool actually performs. If that's not available, 
then you should sit down with the vendors and get a hands on session.

SPI Dynamics is very demo friendly. You'll find their people polite, 
professional, and quick to respond once you download the product. So if you 
want to take a look at it, just contact Natalie Hinkle 
<nhinkle@spidynamics.com> if you have any questions or run into problems 
downloading it. Also, if you go this route be sure to download the SPI Toolkit, 
which includes some manual pen testing utilities.

With Sanctum, acquiring a demo was more difficult, I had to speak with
the salesperson's manager and then wait a few days, only to be declined. Only 
after sending an email to their VP Internal Sales together with my resume did I 
manged to get a demo. You may have better results. Jane Foulkes 
<jfoulkes@sanctuminc.com> is a sales person you can contact over there.

Last I checked Scando did not have a demo available at all.

I would also strongly encourage you to contact Cenzic and discuss having a look 
at their up and coming version of Hailstorm 2.0. Its by far the most extensible 
of the available commercial offerings. The tool provides a nice balance of 
automated verses manual app spidering, allows you to record and replay 
complicated HTTP sessions (which they call traversals) and then you can apply 
different types of security policies as Hailstorm iteratively steps through the 
web application. You can also create your own policies and have full control 
over the fault injectors which interrogate the app, as well as types of 
response conditions you're interested in detecting. This tool shows an 
incredible amount of promise, so it would probably be in your interest to 
evaluate it. You can contact Mandeep Khera over there <mandeep@cenzic.com> if 
you're interested finding out more about it.

Also, browse the recent archives of this list because your question
has surfaced in various forms and you'll be able to find a variety of
useful perspectives.

--Tom
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Web Forms filtered with SQL constraints, Dr Death
Next by Date:  Re: Auditing user session activity, Matt Fisher
Previous by Thread:  Re: Of the three expensive vulnerability scanners, Cesar
Next by Thread:  SSL and replay attacks, Ajay
Indexes:  [Date] [Thread] [Top] [All Lists]