Educause Security Discussion mailing list archives
Summary of responses to query regarding web vulnerable assessment scanners and consultants
From: Morrow Long <morrow.long () YALE EDU>
Date: Wed, 5 Mar 2008 18:38:46 -0500
Summary: WebInspect and Appscan were used in an even # of institutions according to the query's respondents. Appscan had comments such as more complete, better reporting, but WebInspect was also liked by many who used it. Acunextix, Nexpose and Nstalker were mentioned also. Some institutions are using multiple tools as well as both automatic scanning, code reviews, security design, network penetration tools, consultants, manual assessment & semi-manual tools such as Paros, Web Scarab, etc. There were 19 responses to my query to the Educause Security list, UniSOG, and the IVY+ InfoSec lists which directly addressed tools used. There were very few responses regarding hiring firms and consultants to do the work. Many good points were made that the commercial scanners have many false positives and negatives (can produce a lot of output that has to be verified and don't find every vulnerability/exposure) and that manual scanning/assessments of web applications are much better and accurate (though labor/time/$ intensive). The overwhelming majority of responses were on the Educause Security list and the thread eventually went into other areas. Here is the distilled count: Commercial software: 7 Schools use WebInspect 7 Schools use IBM's WatchFire AppScan 2 Use Acunetix 2 Use Nexpose 1 Use Nstalker Open Source Tools: Many using Web Scarab, Paros and other manual, semi-manual tools. Paraphrased comments: We use WebInspect - like it. Auditors licensed WebInspect several years ago. tFrom Steve Stines. Use IBM Watchfire + peer review + std practices. Call ktriley () berkeley edu . WebInspect - valuable for security & QA. Vuln Desc detailed & good refs. Both WebInspect and Appscan are licensed and good. WebInspect - like it. using nstalker for the past couple of years & generally pleased Appscan (more complete) and Nexpose (more user friendly, better rpt) Web Inspect - decent. All products have many false pos & neg. Manual better. Developers use Web Scarab (a semi-manual/auto tool) & are happy. WebXM/AppScan - solid and getting better. 250 developers use it. Use Accunetix,Core Impact, Web Scarab, Paros in combination. Appscan: pleased, chosen via bake-off. Understandable rpts by laypeople. Acunetix- primary tool, very decent results at competitive price. AppScan and WebInspect similar. Better is manual with WebScarab. Manual assessment using Paros, Web Scarab, Security Design Reviews, Code Reviews and manual testing are best. using IBM Relational AppScan - reports good for developers Uses WebInspect, but evaluating and looking to use Nexpose also. CCCCCcCredits (Participants): Notre Dame, Gary Dobbins U Penn, Dave Millar UC Berkeley, Bill Allison U Pittsburgh, Kevin Johnson U Colorado Bouler, Brad Judy Northwestern, Roger Safian UNC Charlotte, Carter Heath Columbia, Joel Rosenblatt KU School of Arch, Dave Hull U of Auckland NZ, Russell Fulton UT Austin, Cam Beazley VT.EDU, Randy Marchany Penn State, Kathy Kimball U IOWA, Samuel Petreski UNC, Alex Everett SIU.EDU, Curt W MTSAC, Darwin Macatiag Princeton, Anthony Scaturro CMU.EDU, Doug Mariewicz H. Morrow Long University Information Security Officer Director - Information Security Office
Current thread:
- Summary of responses to query regarding web vulnerable assessment scanners and consultants Morrow Long (Mar 05)