RE: Spi's products worth a try? Or any suggestions for developers' tool?

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Advert aside, Mike brings up a very important point about
"web application security", math, technology, ethics, and
which vendor you should vote for with your dollars:

> -----Original Message-----
> From: Mike Pearson [mailto:mp () digitalstakeout com] 
> Sent: Sunday, November 06, 2005 11:37 AM
> To: pen-test () securityfocus com
>
> My company conducted a through evaluation of SPI WebInspect, Watchfire
> AppScan, Acunetix and various open source products and ended 
> up choosing a combination of AppScan and open source as the primary
> backend for our service, Threat Portal VMS.

You offer a hosted dashboard and promise of automation for something
that requires human eyeballs and brains. Your service will appeal to
unsuspecting folks with misguided desires to *replace* human analysis.

The confusion over what can and cannot be automated is part of
_The_Problem_ with appsec today. Reference Rice's Theorem before
starting an anecdotal debate with me on this.
 
> One thing to keep in mind is that Watchfire holds the definitive
> patent for conducting intelligent web crawling for vulnerabilities.
> Both SPI and Acunetix had to pay Watchfire multi-million dollar royalty 
> payments in order to use the patent. SPI may be a little faster
> with new updates but Watchfire invented the process.

Invented "the process", huh? What about all us bipeds that were
performing this "process" with our eyeballs well before Perfecto
then Sanctum now Watchfire "patented" it?

But this is an *important* point. Let's expand on it:

Without naming names, let us posit that there was a vendor who
"patented" something ridiculous during a phase of immaturity in
patent office understanding of the concepts involved.

Then let us say the same vendor went out and used that patent
as a weapon to (a) raise prices of competitor's products and
(b) stifle independent and university research.

I would consider this highly unethical behavior, and humbly
submit that anyone who supports a vendor who perpetuates these
business practices is also unethical, and harming the rest of
us by supporting anti-competitive practices and stifling
research and innovation that would benefit us all.

I do not know if such a vendor exists, but if they did, you
could probably build a clear timeline of such activities by
researching patent grant, litigation, press releases announcing
which vendors caved in to "royalties", when new web appsec
research projects disappeared, and when innovative new tools
from university and independent research were pulled from
public release.

After constructing such a timeline, it should be pretty
clear if such a vendor exists.

Vote with your dollars and your mouth.

Disclaimer:
Comments and conclusions about ethics are my own and do not
in any way represent the position of my employer or any
other group I am affiliated with.


-ae








------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------