Educause Security Discussion mailing list archives
Re: Experiences with Web application vulnerability assessment (1) software (2) companies
From: "Hull, Dave" <dphull () KU EDU>
Date: Wed, 27 Feb 2008 14:41:37 -0600
I have used Web Inspect, but it's been a year and a half. My experience was that it was decent, but like many similar products had a high number of false positives nor does it catch everything. For really critical web applications nothing beats a well trained Q&A team with time, tools and access to the source code. Again it's been a year and half since I have done line-by-line code review professionally, but at that time it was more effective at finding flaws than any of the automated tools I tried. Obviously it's not as fast to do it by hand. It's that old trade off between fast, cheap and accurate. Pick two. -- Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI Director of Technology KU School of Architecture & Urban Planning Tel. 785.864.2629 Fax 785.864.5393 "The free world says that software is the embodiment of knowledge about technology, which needs to be free in the same way that mathematics is free." -- Eben Moglen, Software Freedom Law Center -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Morrow Long Sent: Wednesday, February 27, 2008 11:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Experiences with Web application vulnerability assessment (1) software (2) companies Have any schools had an experiences with Web application security vulnerability assessment (1) software -- (nstalker, appscan, etc.) (2) companies / consultants who perform such services Post to the list or to me. I'll summarize. H. Morrow Long University Information Security Officer Director - Information Security Office
Current thread:
- Experiences with Web application vulnerability assessment (1) software (2) companies Morrow Long (Feb 27)
- <Possible follow-ups>
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Gary Dobbins (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Johnson, Kevin (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Roger Safian (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Hull, Dave (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Randy Marchany (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Hull, Dave (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Halliday,Paul (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Petreski, Samuel (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Alex (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies curtw () siu edu (Feb 27)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Darwin Macatiag (Feb 28)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Alex (Feb 28)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Bob Doyle (Feb 29)
- Re: Experiences with Web application vulnerability assessment (1) software (2) companies Darwin Macatiag (Feb 29)
(Thread continues...)