Re: Experiences with Web application vulnerability assessment (1) software (2) companies

[Alex <alex.everett () UNC EDU>]

All:

I also agree with both posts. I reviewed both AppScan and WebInspect
(although a while ago) and thought they were both similar. However, compared
to a manual comparison, they performed poorly. However, not everyone has 40
hours to spend analyzing a medium sized application. The tools will handle
obvious issues and help an analyst save time. If time isnt a concern, you
can probably get away with WebScarab and some scripting.
I will be re-reviewing these this month, so I can update if interested.

-Alex

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Halliday,Paul
Sent: Wednesday, February 27, 2008 5:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experiences with Web application vulnerability
assessment (1) software (2) companies

Seconded.

Automated tools are great for quickly identifying potential problem areas or
to satiate your resident auditor with a pretty graph. If this is where the
assessment stops however, you are doing yourself a disservice. The Achilles
heel in most well designed web applications is likely to be missed by all
but the most persistent, thorough and oftentimes unorthodox eye. It is here
that these solutions usually outlive their usefulness. Save your money and
invest in skilled people.

That said, has anyone played with CDC'c  Goolag Scanner yet? ;)

-p

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Hull,
Dave
Sent: Wed 2/27/2008 4:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experiences with Web application vulnerability
assessment (1) software (2) companies



I have used Web Inspect, but it's been a year and a half. My experience was
that it was decent, but like many similar products had a high number of
false positives nor does it catch everything.

For really critical web applications nothing beats a well trained Q&A team
with time, tools and access to the source code. Again it's been a year and
half since I have done line-by-line code review professionally, but at that
time it was more effective at finding flaws than any of the automated tools
I tried. Obviously it's not as fast to do it by hand.
It's that old trade off between fast, cheap and accurate. Pick two.

--
Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI Director of Technology KU School
of Architecture & Urban Planning Tel. 785.864.2629 Fax  785.864.5393

"The free world says that software is the embodiment of knowledge about
technology, which needs to be free in the same way that mathematics is
free."
-- Eben Moglen, Software Freedom Law Center



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Morrow Long
Sent: Wednesday, February 27, 2008 11:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Experiences with Web application vulnerability
assessment (1) software (2) companies

Have any schools had an experiences with Web application security
vulnerability assessment

(1) software -- (nstalker, appscan, etc.)

(2) companies / consultants who perform such services

Post to the list or to me.  I'll summarize.

H. Morrow Long
University Information Security Officer
Director -  Information Security Office

Attachment: smime.p7s
Description: