Summary of responses to query regarding web vulnerable assessment scanners and consultants

[Morrow Long <morrow.long () YALE EDU>]

Summary:

WebInspect and Appscan were used in an even # of institutions
according to the query's respondents.

Appscan had comments such as  more complete, better reporting,  but
WebInspect was also liked by many who used it.

Acunextix, Nexpose and Nstalker were mentioned also.  Some
institutions are using multiple tools as well as both
automatic scanning, code reviews, security design, network penetration
tools, consultants, manual assessment &
semi-manual tools such as Paros, Web Scarab, etc.

There were 19 responses to my query to the Educause Security list,
UniSOG, and the IVY+ InfoSec lists which
directly addressed tools used.  There were very few responses
regarding hiring firms and consultants to do the
work.  Many good points were made that the commercial scanners have
many false positives and negatives
(can produce a lot of output that has to be verified and don't find
every vulnerability/exposure) and that manual
scanning/assessments of web applications are much better and accurate
(though labor/time/$ intensive).

The overwhelming majority of responses were on the Educause Security
list and the thread eventually went
into other areas. Here is the distilled count:

    Commercial software:

        7 Schools use WebInspect
        7 Schools use IBM's WatchFire AppScan
        2 Use Acunetix
        2 Use Nexpose
        1 Use Nstalker

    Open Source Tools:

        Many using Web Scarab,  Paros and other manual, semi-manual tools.

Paraphrased comments:

        We use WebInspect - like it.
        Auditors licensed WebInspect several years ago. tFrom Steve Stines.
        Use IBM Watchfire + peer review + std practices.  Call ktriley () berkeley edu
.
        WebInspect - valuable for security & QA. Vuln Desc detailed & good
refs.
        Both WebInspect and Appscan are licensed and good.
        WebInspect - like it.
        using nstalker for the past couple of years & generally pleased
        Appscan (more complete) and Nexpose (more user friendly, better rpt)
        Web Inspect - decent.  All products have many false pos & neg. Manual
better.
        Developers use Web Scarab (a semi-manual/auto tool) & are happy.
        WebXM/AppScan - solid and getting better. 250 developers use it.
        Use Accunetix,Core Impact, Web Scarab, Paros in combination.
        Appscan: pleased, chosen via bake-off. Understandable rpts by
laypeople.
        Acunetix- primary tool, very decent results at competitive price.
         AppScan and WebInspect similar.  Better is manual with WebScarab.
        Manual assessment using Paros, Web Scarab,
        Security Design Reviews, Code Reviews and manual testing are best.
        using IBM Relational AppScan - reports good for developers
        Uses WebInspect, but evaluating and looking to use Nexpose also.

CCCCCcCredits (Participants):

        Notre Dame, Gary Dobbins
        U Penn, Dave Millar     
        UC Berkeley, Bill Allison               
        U Pittsburgh, Kevin Johnson
        U Colorado Bouler, Brad Judy
        Northwestern, Roger Safian
        UNC Charlotte, Carter Heath
        Columbia, Joel Rosenblatt
        KU School of Arch, Dave Hull
        U of Auckland NZ, Russell Fulton
        UT Austin, Cam Beazley  
        VT.EDU, Randy Marchany
        Penn State, Kathy Kimball       
        U IOWA, Samuel Petreski 
        UNC, Alex Everett               
        SIU.EDU, Curt W         
        MTSAC, Darwin Macatiag          
        Princeton, Anthony Scaturro     
        CMU.EDU, Doug Mariewicz 



H. Morrow Long
University Information Security Officer
Director -  Information Security Office