Penetration Testing mailing list archives
RE: Spi's products worth a try? Or any suggestions for developers' tool?
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 7 Nov 2005 11:54:12 -0600
Advert aside, Mike brings up a very important point about "web application security", math, technology, ethics, and which vendor you should vote for with your dollars:
-----Original Message----- From: Mike Pearson [mailto:mp () digitalstakeout com] Sent: Sunday, November 06, 2005 11:37 AM To: pen-test () securityfocus com My company conducted a through evaluation of SPI WebInspect, Watchfire AppScan, Acunetix and various open source products and ended up choosing a combination of AppScan and open source as the primary backend for our service, Threat Portal VMS.
You offer a hosted dashboard and promise of automation for something that requires human eyeballs and brains. Your service will appeal to unsuspecting folks with misguided desires to *replace* human analysis. The confusion over what can and cannot be automated is part of _The_Problem_ with appsec today. Reference Rice's Theorem before starting an anecdotal debate with me on this.
One thing to keep in mind is that Watchfire holds the definitive patent for conducting intelligent web crawling for vulnerabilities. Both SPI and Acunetix had to pay Watchfire multi-million dollar royalty payments in order to use the patent. SPI may be a little faster with new updates but Watchfire invented the process.
Invented "the process", huh? What about all us bipeds that were performing this "process" with our eyeballs well before Perfecto then Sanctum now Watchfire "patented" it? But this is an *important* point. Let's expand on it: Without naming names, let us posit that there was a vendor who "patented" something ridiculous during a phase of immaturity in patent office understanding of the concepts involved. Then let us say the same vendor went out and used that patent as a weapon to (a) raise prices of competitor's products and (b) stifle independent and university research. I would consider this highly unethical behavior, and humbly submit that anyone who supports a vendor who perpetuates these business practices is also unethical, and harming the rest of us by supporting anti-competitive practices and stifling research and innovation that would benefit us all. I do not know if such a vendor exists, but if they did, you could probably build a clear timeline of such activities by researching patent grant, litigation, press releases announcing which vendors caved in to "royalties", when new web appsec research projects disappeared, and when innovative new tools from university and independent research were pulled from public release. After constructing such a timeline, it should be pretty clear if such a vendor exists. Vote with your dollars and your mouth. Disclaimer: Comments and conclusions about ethics are my own and do not in any way represent the position of my employer or any other group I am affiliated with. -ae ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Spi's products worth a try? Or any suggestions for developers' tool? Aman Raheja (Nov 04)
- Re: Spi's products worth a try? Or any suggestions for developers' tool? Peter Wood (Nov 05)
- Re: Spi's products worth a try? Or any suggestions for developers' tool? Cory Stoker (Nov 07)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Mike Pearson (Nov 08)
- Re: Spi's products worth a try? Or any suggestions for developers' tool? caseytay (Nov 08)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Thomas Ryan (Nov 09)
- <Possible follow-ups>
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Evans, Arian (Nov 05)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Mike Pearson (Nov 06)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Rui Pereira (WCG) (Nov 06)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Evans, Arian (Nov 07)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Ory Segal (Nov 10)