Re: Experiences with Web application vulnerability assessment (1) software (2) companies

["Hull, Dave" <dphull () KU EDU>]

I have used Web Inspect, but it's been a year and a half. My experience
was that it was decent, but like many similar products had a high number
of false positives nor does it catch everything.

For really critical web applications nothing beats a well trained Q&A
team with time, tools and access to the source code. Again it's been a
year and half since I have done line-by-line code review professionally,
but at that time it was more effective at finding flaws than any of the
automated tools I tried. Obviously it's not as fast to do it by hand.
It's that old trade off between fast, cheap and accurate. Pick two.

--
Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI 
Director of Technology
KU School of Architecture & Urban Planning
Tel. 785.864.2629
Fax  785.864.5393
        
"The free world says that software is the embodiment of knowledge about
technology, which needs to be free in the same way that mathematics is
free."
-- Eben Moglen, Software Freedom Law Center
        
 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Morrow Long
Sent: Wednesday, February 27, 2008 11:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Experiences with Web application vulnerability
assessment (1) software (2) companies

Have any schools had an experiences with Web application security  
vulnerability assessment

(1) software -- (nstalker, appscan, etc.)

(2) companies / consultants who perform such services

Post to the list or to me.  I'll summarize.

H. Morrow Long
University Information Security Officer
Director -  Information Security Office