WebApp Sec mailing list archives
Re; Comparison report on web app security scanners
From: <jack.jonburg () hushmail com>
Date: Fri, 12 May 2006 10:52:25 -0400
First off great bit of work. Its about time marketing crap is sliced up like a hot turd it is. My German is not that great. Can I assume the basic summary from page 149 is as follows? Sanctum / Watchfire could only find 1 in 5 issues or 20% WebInspect about 6% Accuntix was so bad it wasn't worth reporting results All had so many false positives it wasnt funny. This basicaly echoes Arian Evans great work presented at OWASP last year so is consistent with what I hear from people who have bought these things and used them and polar opposite from the marketing hype. What I didnt see was a comparison of types of issues ie bugs and flaws? I imagine they are basically all at 0% on flaws but .... so based on this I know where my money is not going on my renewal license. I suspected this all along but never knew how to proove it. Again great stuff ! As I had mentioned in another posting to this list some time ago, a few months ago I completed a fairly extensive review of various tools: AppScan, WebInspect, Acunetix, (note AppScan and WebInspect have produced new versions since then), Burp, WebScarab, Spike Proxy, and some minor remarks on a few other tools. I used two applications as benchmarks: WebGoat and a proprietary application in production use. The report totals to about 170 pages. A number of people have expressed their interest in this report. Today I have finally attained a publication permit. You can download the report at http://fhgonline.fraunhofer.de/server?suche- publica&num=048.06/D&iese (that page will give the abstract and bibliographic information; click on the red link named "Volltext" to get at the actual PDF). However, note that the report is in German. I regret that I do not have the time to translate it, but anyone is invited to volunteer (and some people already have). If you want to help in translating, drop me a line (this applies even to those who already did, just to give me an updated picture); I will collect all volunteer addresses and distribute them next week, and from then on, you'll be on your own. Kind regards, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1299 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 -------------------------------------------------------------------- ----- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70130000000 7t9r -------------------------------------------------------------------- ------ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h --------------------------------------------------------------------------
Current thread:
- Re; Comparison report on web app security scanners jack.jonburg (May 12)
- <Possible follow-ups>
- RE: Re; Comparison report on web app security scanners Holger.Peine (May 15)
- Re: RE: Re; Comparison report on web app security scanners ma . huijuan (May 15)
- RE: RE: Re; Comparison report on web app security scanners Martin O'Neal (May 15)