Re: Experiences with Web application vulnerability assessment (1) software (2) companies

["Halliday,Paul" <Paul.Halliday () NSCC CA>]

Seconded. 
 
Automated tools are great for quickly identifying potential problem areas or to satiate your resident auditor with a 
pretty graph. If this is where the assessment stops however, you are doing yourself a disservice. The Achilles heel in 
most well designed web applications is likely to be missed by all but the most persistent, thorough and oftentimes 
unorthodox eye. It is here that these solutions usually outlive their usefulness. Save your money and invest in skilled 
people.
 
That said, has anyone played with CDC'c  Goolag Scanner yet? ;)
 
-p

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Hull, Dave
Sent: Wed 2/27/2008 4:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experiences with Web application vulnerability assessment (1) software (2) companies



I have used Web Inspect, but it's been a year and a half. My experience
was that it was decent, but like many similar products had a high number
of false positives nor does it catch everything.

For really critical web applications nothing beats a well trained Q&A
team with time, tools and access to the source code. Again it's been a
year and half since I have done line-by-line code review professionally,
but at that time it was more effective at finding flaws than any of the
automated tools I tried. Obviously it's not as fast to do it by hand.
It's that old trade off between fast, cheap and accurate. Pick two.

--
Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI
Director of Technology
KU School of Architecture & Urban Planning
Tel. 785.864.2629
Fax  785.864.5393
       
"The free world says that software is the embodiment of knowledge about
technology, which needs to be free in the same way that mathematics is
free."
-- Eben Moglen, Software Freedom Law Center
       


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Morrow Long
Sent: Wednesday, February 27, 2008 11:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Experiences with Web application vulnerability
assessment (1) software (2) companies

Have any schools had an experiences with Web application security 
vulnerability assessment

(1) software -- (nstalker, appscan, etc.)

(2) companies / consultants who perform such services

Post to the list or to me.  I'll summarize.

H. Morrow Long
University Information Security Officer
Director -  Information Security Office