WebApp Sec mailing list archives
RE: Good benchmark application for web security testing tools?
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 7 Oct 2005 15:02:15 -0500
This sounds like it will be a more effective approach than most of what is out there now:
-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Thursday, October 06, 2005 10:27 AM
[...]
Hacme Bank is now in Rev 2 (re-write including web services and new
[...]
That said its not a good benchmarking tool for testing these tools, nor is WebGoat.
exactly
SiteGenerator however will be and is being specifically developed for
Will this be a public domain, open-source application? Who will be making SiteGenerator available? Foundstone? [...]
We won't publish any results of tools themselves but the tool is designed so people can do that against an environment that is like their own and not some canned site (I cant belive anyone would but based on results from a canned site built by a vendor of the product but .I guess some do.)
People can and do use vendor tautologies (in the definition of 'self-proving frameworks') to validate their multi-$100,000 purchases of webappsec scanners, WAFs, etc. I see this regularly. Sad but true.
I am sure people will share results in public.
If SiteGenerator can be coupled with rigorous definition and methods for evaluation, this would be good. If find some time, I'll post some recent webappscanner reviews and point out why/where they are low quality and/or completely inaccurate. The problem is getting worse, not better, right now. Awareness of the issues is growing exponentially but *understanding* hasn't grown with it. -ae
Current thread:
- Good benchmark application for web security testing tools? Peine,Holger (Oct 04)
- Re: Good benchmark application for web security testing tools? Eoin Keary (Oct 04)
- RE: Good benchmark application for web security testing tools? Benjamin Livshits (Oct 04)
- <Possible follow-ups>
- RE: Good benchmark application for web security testing tools? Steven Rebello (Oct 04)
- RE: Good benchmark application for web security testing tools? Evans, Arian (Oct 04)
- RE: Good benchmark application for web security testing tools? Lodin, Steven (Oct 04)
- RE: Good benchmark application for web security testing tools? Ofer Shezaf (Oct 04)
- RE: Good benchmark application for web security testing tools? Mark Curphey (Oct 06)
- RE: Good benchmark application for web security testing tools? Evans, Arian (Oct 07)
- RE: Good benchmark application for web security testing tools? Mark Curphey (Oct 10)