Educause Security Discussion mailing list archives
Re: web application scanning
From: Indir Avdagic <iavdagic () SEAS HARVARD EDU>
Date: Tue, 7 Feb 2012 20:28:53 +0000
We use couple different commercial web application scanners. Most frequently we use Cenzic's Hailstorm Application Risk Controller. This scanner combines pretty high accuracy with a very low rate of false positives. Vulnerability discovery is driven by the "Smart Attack" library, which encapsulates best practices to test attack resistance. Also, this tool generates good reports with web vulnerability summary, total vulnerability risk score, and details on all the specific findings, but I'm not enormously impressed with the fit and finish of the user interface. I hope this helps. _________________________________________________ Indir Avdagic, CISM, CISSP, ACSA, TICSA Director of Information Security Harvard University - SEAS Email: indir_avdagic () harvard edu Phone: (617) 496-3502 "There is an infinite capacity to improve everything" _________________________________________________ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Lepkowski Sent: Tuesday, February 07, 2012 3:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] web application scanning W3AF is an open source web application scanner. The links are at: http://w3af.sourceforge.net/ https://community.rapid7.com/community/open_source/w3af Paul Lepkowski, CISSP, GIAC-GPEN RIT Information Security Office Enterprise Information Security Lead Engineer Staff Council Representative Rochester Institute of Technology Ross 10-A200 151 Lomb Memorial Drive Rochester, NY 14623 (585) 475-6972 paul.lepkowski () rit edu CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Sheinberg Sent: Tuesday, February 07, 2012 2:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] web application scanning Hello, Does anyone here have any recommendations for tools (preferably open-source) that will scan web-servers for vulnerable application frameworks + plug-ins? Stuff like looking for out-of-date Drupal, Joomla, etc. Obviously I can find some of these tools with Google on my own, just curious if anyone has any positive experience with any in particular. Thanks! -- -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ Michael Sheinberg Network Security Administrator, CETS School of Engineering and Applied Science -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
Current thread:
- web application scanning Michael Sheinberg (Feb 07)
- Re: web application scanning Paul Lepkowski (Feb 07)
- Re: web application scanning Indir Avdagic (Feb 07)
- Re: web application scanning Greg Williams (Feb 07)
- Re: web application scanning randy marchany (Feb 07)
- Re: web application scanning Chris Green (Feb 08)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Brian J Smith-Sweeney (Feb 07)
- Re: web application scanning David Pirolo (Feb 07)
- Re: web application scanning Paul Lepkowski (Feb 07)