Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Automagic webapp testing tools

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: Automagic webapp testing tools
Date: Thu, 10 Mar 2005 12:35:58 -0600 
1. There will be a resource launched on www.owasp.org the first week
of April on this subject.

2. Marketing hype and dishonesty is staggering in the webappsec space.

Personally I think this is more due to a mix of ignorance and well-meaning
incompetence than some subtle sales malice, but that's irrelevant to the facts.

3. Lots of value in these automation tools *if* and *where* they work.

4. No substitute for manual testing.

5. I finished an assessment for one of the largest banks in the US and they
told me my 100+ page hand written analysis of 40-some issues was "comparable"
to the competitor that gave them 300 pages of AppScan bull****.

Printed straight out of the tool. OH-NO, robots.txt again!

6. I delight in asking vendors to explain how to exploit XST (webappscanner,
traditional vuln scanners, web app testers, whoever) and while half the time
they can't even give an attack scenario it's even better when they do and
I ask "now why would anyone do that if those preconditions are true?".

:)

-ae



-----Original Message-----
From: inflatablekiwi@gmail.com [mailto:inflatablekiwi@gmail.com] 
Sent: Wednesday, March 09, 2005 2:02 AM
To: webappsec@securityfocus.com
Subject: Automagic webapp testing tools




Hi Folks,
I currently use SPI WebInspect for as part of a process for 
vulnerability assessments/pen tests on different web 
applications. The license is up for renewal soon and before 
re-purchasing, I'm wondering if anyone on the list has any 
real world thoughts/experiences on how it stacks up against 
some of the alternatives like 

- Watchfire Appscan
- Kavado ScanDo
- Any others I've missed

Any list member's thoughts (on or off the list) or pointers to 
good product comparisons for these would be much appreciated.  
I'm more of a believer in manual testing myself (yay Netcat 
and WebScarab!), but I also see the value in these sorts of tools.

Ta,
IF

p.s Also as a totally random aside - I've recently been 
reading a couple of different security vendors pen test 
reports for similar profile web sites and I'm amazed by the 
analysis disparity on the same simple issues (like track and 
trace verbs being enabled - ranging from "Extreme Risk - The 
sky is falling - you will be owned now" to "Low risk - disable 
these verbs and move along").  Just saying.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: applet security connecting to hosts, Jeremiah Grossman
Next by Date:  Re: Foundstone Hacme Books and .NET Security Toolkit, dotnetdeveloper
Previous by Thread:  Automagic webapp testing tools, inflatablekiwi
Next by Thread:  Re: Automagic webapp testing tools, robert
Indexes:  [Date] [Thread] [Top] [All Lists]