Educause Security Discussion mailing list archives

Re: web application scanning

From: Indir Avdagic <iavdagic () SEAS HARVARD EDU>
Date: Tue, 7 Feb 2012 20:28:53 +0000

We use couple different commercial web application scanners. Most frequently we use Cenzic's Hailstorm Application Risk 
Controller. This scanner combines pretty high accuracy with a very low rate of false positives. Vulnerability discovery 
is driven by the "Smart Attack" library, which encapsulates best practices to test attack resistance. Also, this tool 
generates good reports with web vulnerability summary, total vulnerability risk score, and details on all the specific 
findings, but I'm not enormously impressed with the fit and finish of the user interface.

I hope this helps.

_________________________________________________
Indir Avdagic, CISM, CISSP, ACSA, TICSA
Director of Information Security 
Harvard University - SEAS
Email: indir_avdagic () harvard edu
Phone: (617) 496-3502   

"There is an infinite capacity to improve everything"
_________________________________________________










-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul 
Lepkowski
Sent: Tuesday, February 07, 2012 3:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] web application scanning

W3AF is an open source web application scanner.  The links are at:

http://w3af.sourceforge.net/

https://community.rapid7.com/community/open_source/w3af



Paul Lepkowski, CISSP, GIAC-GPEN
RIT Information Security Office
Enterprise Information Security Lead Engineer Staff Council Representative
 
Rochester Institute of Technology
Ross 10-A200
151 Lomb Memorial Drive
Rochester, NY 14623
(585) 475-6972
paul.lepkowski () rit edu
 
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity 
to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other 
than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any 
copies of this information.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael 
Sheinberg
Sent: Tuesday, February 07, 2012 2:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] web application scanning

Hello,

Does anyone here have any recommendations for tools (preferably
open-source) that will scan web-servers for vulnerable application frameworks + plug-ins?

Stuff like looking for out-of-date Drupal, Joomla, etc. Obviously I can find some of these tools with Google on my own, 
just curious if anyone has any positive experience with any in particular.

Thanks!
--
-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
Michael Sheinberg
Network Security Administrator, CETS

School of Engineering and Applied Science -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

Current thread:

web application scanning Michael Sheinberg (Feb 07)
- Re: web application scanning Paul Lepkowski (Feb 07)
  - Re: web application scanning Indir Avdagic (Feb 07)
- Re: web application scanning Greg Williams (Feb 07)
- Re: web application scanning randy marchany (Feb 07)
  - Re: web application scanning Chris Green (Feb 08)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Brian J Smith-Sweeney (Feb 07)
  - Re: web application scanning David Pirolo (Feb 07)