WebApp Sec mailing list archives
RE: Comparison report on web app security scanners
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Thu, 18 May 2006 09:27:22 +0100
I am looking forward to the results of a public quantifiable test using SiteGenerator and a consistent set of criteria.
The general problem with benchmarking though is that when you have nothing formal it seems like a really good idea, but as soon as you have a formalised standard test set, all the top vendors will simply re-engineered to find 100% of all the benchmark test cases by default, and there will still be nothing on which to select between them. Additionally, many vendors will end up building a specific rule to test for the exact circumstances of the test case, rather than analysing for the generalised principal (such as checking for only a script tag, rather than looking for unescaped data in the wrong place). The benchmark could end up providing a false sense of security. I quite like academic approach taken by the fine Dr; select your test set independently (to suite your own needs), run your tests empirically, publish all detail. The only down side to the report that provoked this thread is that it also included an unnamed application, so the results are not independently repeatable/verifiable. Martin... ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info () corsaire com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Re: Comparison report on web app security scanners, (continued)
- Re: Comparison report on web app security scanners Zaninotti, Thiago (May 18)
- Re: Comparison report on web app security scanners Eoin (May 17)
- RE: Comparison report on web app security scanners Mark Curphey (May 17)
- RE: Comparison report on web app security scanners Bogdan Calin (May 18)
- Re: Comparison report on web app security scanners solutions_PHP (May 18)
- Re: Comparison report on web app security scanners Bogdan Calin (May 18)
- RE: Comparison report on web app security scanners Mark Curphey (May 19)
- WAF learning ability limitation? matt farey (May 19)
- Re: Comparison report on web app security scanners solutions_PHP (May 19)