RE: Open Source Application Vulnerability Assessment Tools

The lack of info is because, in this domain,
there really isn't anything in the "automated
web app scanner" domain worth using.

For manual testing, there are a ton of tools.

Undertaking the creation of one is challenging.

The variables are certainly far, far higher
than harnessing a scripted testing engine
and regex matcher to a port scanner/protocol
fingerprinter, a'la Nessus.

This is a much harder problem, more variables,
and not many folks do a good job at it. (These
are smart folks too, but it's a hard problem).

</free_lunch>

-ae

> -----Original Message-----
> From: listbounce@securityfocus.com 
> [mailto:listbounce@securityfocus.com] On Behalf Of Aman Raheja
> Sent: Thursday, September 28, 2006 4:01 PM
> To: Brokken, Allen P.; webappsec@securityfocus.com
> Subject: Re: Open Source Application Vulnerability Assessment Tools
>
> Some tools are listed here
>
> http://sectools.org/web-scanners.html
>
> Aman Raheja, CISSP
> PGP Key: www.techquotes.com/araheja.asc
>
>
> On Wed, 27 Sep 2006 14:40:19 -0500, "Brokken, Allen P." 
> <BrokkenA@missouri.edu> wrote :
>
> >     
> > On this list we talk a lot about various vendor provided 
> tools quite a
> > bit.  In general it appears most solutions are 
> Windows-centric in their
> > installation even if they work against multiple platforms.  
> >
> > With the prevalence of LAMP systems I would figure there 
> must be some
> > means of doing a security assessment on their applications 
> with native
> > tools.  It seems odd to me that there isn't a NESSUS equivalent for
> > application testing.  I'm wondering what is available from the Open
> > Source community in the way of
> >
> > * Black Box web assessment software
> > * Source code assessment software
> > * Assessment management software
> >
> > I'm more looking for names/urls to projects than I am for any
> > comparisons or descriptions.
> >
> > Allen Brokken
> >
> > Information Security and Account Management - IAT Services 
> - University
> > of Missouri -brokkena@missouri.edu - (573)884-8708
> --------------------------------------------------------------
> -----------
> > Sponsored by: Watchfire
> >
> > It's been reported that 75% of websites are vulnerable to 
> attack. That's
> > because hackers know to exploit weaknesses in web applications.
> > Traditional approaches to securing these assets no longer 
> apply. Download
> > the "Addressing Challenges in Application Security" 
> whitepaper today, and
> > see for yourself.
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
> 0000008Vmw
> >
> --------------------------------------------------------------
> ------------
> >
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> It's been reported that 75% of websites are vulnerable to 
> attack. That's 
> because hackers know to exploit weaknesses in web applications. 
> Traditional approaches to securing these assets no longer 
> apply. Download 
> the "Addressing Challenges in Application Security" 
> whitepaper today, and 
> see for yourself.
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
> 0000008Vmw
> --------------------------------------------------------------
> ------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's 
because hackers know to exploit weaknesses in web applications. 
Traditional approaches to securing these assets no longer apply. Download 
the "Addressing Challenges in Application Security" whitepaper today, and 
see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw
--------------------------------------------------------------------------