RE: Opinions of automated testers

["Erin Carroll" <amoeba () amoebazone com>]

Mathijs,

SPI Dynamics does have a demo download with a temp key that allows you to
test WebInspect using their http://zero.webappsecurity.com website. The site
is completely reimaged each night so you can play around with the tool to
your heart's content with SQL injection, fuzzing, etc. They've done a great
job in setting things up so potential clients can get a really good feel for
the tool and it's capabilities. I don't work for SPI but I've worked with
them extensively in the past and am most familiar with their product so take
my recommendations with a grain of salt. Other products may suit your needs
better in particular areas or capabilities.

I'm not certain if Cenzic or the other webappsec tools have a similar
setup/trial playground for product evaluation but I would be surprised if
that wasn't the case. Most companies in this product space also offer
pricing for corporate (unlimited internal usage) clients as well as lower
cost engagement-based licensing for consultants/services companies.

I know you vendors lurk on the list so if any SPI, Cenzic, or Watchfire guys
want to pipe up with more info I'll let it through as long as it isn't too
sales-pitch-ish. If you could provide a relatively unbiased comparison
between your tool and the others in your space in regards to what features
you have and how they compare to your competition that would be useful for
this audience. Some products excel in a particular area or have feature sets
unique to you and having some more technical information on the capabilities
of each would be useful. Just bear in mind that the audience is pen-testers
and not the SecurityFcus webappsec list which also discusses these
questions. :)

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of M. Groen
> Sent: Tuesday, May 08, 2007 11:28 PM
> To: pen-test () securityfocus com
> Subject: RE: Opinions of automated testers
>
> Thanks for the clear explanation.
>
> One other question, does anyone happen to know if there are 
> sites on which you can try "pen testing" products, like 
> WebInspect, or Hailstorm? I mean a " playground" on which it 
> is allowed to do pen-tensting (and make mistakes)?
>
> Mathijs
>
> > Zack,
> >
> > First of all, it depends on what you want in a pen-test 
> tool. Second, 
> > it also depends on what you mean by pen-testing.  In my opinion, 
> > unless there is an actual exploit leveraged and a payload 
> or injection 
> > of some sort, you are talking Vulnerability Assessment and not 
> > pen-testing. It's a semantic difference to some but there is a 
> > procedural difference between identifying potential vulnerabilities 
> > and actively exploiting found vulnerabilities.
> >
> > The 3 tools you list are all web application-centric in their focus 
> > and are not what I would consider true pen-testing tools 
> per se; they 
> > are more Application layer vulnerability scanners with 
> limited exploit 
> > payloads to reduce false positive findings (XSS and SQL injection 
> > checks etc).
> > Watchfire's AppScan, Cenzic's Hailstorm, and SPI's 
> WebInspect are all 
> > great tools but they do not test the full gamut of OS or 
> services. If 
> > you are focused solely on application layer assessment then any of 
> > these 3 should suit your needs. I personally prefer 
> WebInspect due to 
> > some of the extra tools and functionality it provides, as 
> well as the 
> > various customizable report patterns and 
> compliancy-directed scanning 
> > but each has it's strong points.
> >
> > If you are looking for what most on the list would consider broad 
> > spectrum pen-testing tools you should take a look at Core 
> Impact or Metasploit.
> > There
> > are other pen-testing tools available but these two are 
> probably the 
> > most widely used. Core=commercial, Metasploit=OSS so if your 
> > organization needs support not found in a chat room or 
> online forum Core is the way to go.
> > I'm
> > fond of how Impact's payload is a memory-resident 
> compromise so there 
> > is no actual change to the target compromised system and it can use 
> > any exploited box found to search out other machines it can 
> see which 
> > is valuable in moving your penetration farther into the private 
> > network.
> >
> > While automated tools are getting better and easier to use, nothing 
> > beats an experienced pen-testing services company. The 
> better ones go 
> > beyond automated tool runs and can offer services that 
> include social 
> > engineering, custom exploit coding, and other 
> company-specific scope 
> > needs. Depending on your budget you may also want to look into that 
> > avenue.
> >
> > Hope that helps and welcome to the list.
> >
> >
> > --
> > Erin Carroll
> > Moderator
> > SecurityFocus pen-test list
> > "Do Not Taunt Happy-Fun Ball"
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com
> > > [mailto:listbounce () securityfocus com] On Behalf Of 
> > > zackpeters75 () yahoo com
> > > Sent: Monday, May 07, 2007 8:58 PM
> > > To: pen-test () securityfocus com
> > > Subject: Opinions of automated testers
> > >
> > > Hi,
> > >
> > > My manager gave me our pen testing project and I'm still 
> coming up to 
> > > speed so forgive me if this question is not 100% list appropriate.
> > >
> > > > From what I can tell the top 3 automated pen testing
> > > programs are from SPI Dynamics, Cenzic and Watchfire. I haven't 
> > > evaled any of them quite yet but they each seem to have their 
> > > advantages and disadvantages. Cenzic is claiming to be the most 
> > > accurate at least according to their 20/20 marketing program
> > > http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm 
> wondering what 
> > > people have actually seen.
> > >
> > > And if any of you posters from SPI, Cenzic or Watchfire 
> want to email 
> > > me directly and tell me your benefits, that's fine.
> > > I don't want the thread to be a sales pitch, just looking 
> to benefit 
> > > from the knowledge of others.
> > >
> > > Thanks everyone!
> > >
> > > Zack
> > >
> > > --------------------------------------------------------------
> > > ----------
> > > This List Sponsored by: Cenzic
> > >
> > > Are you using SPI, Watchfire or WhiteHat?
> > > Consider getting clear vision with Cenzic See HOW Now with 
> our 20/20 
> > > program!
> > >
> > > http://www.cenzic.com/c/2020
> > > --------------------------------------------------------------
> > > ----------
> ----------------------------------------------------------------------
> > --
> > This List Sponsored by: Cenzic
> >
> > Are you using SPI, Watchfire or WhiteHat?
> > Consider getting clear vision with Cenzic See HOW Now with 
> our 20/20 
> > program!
> >
> > http://www.cenzic.com/c/2020
> ----------------------------------------------------------------------
> > --
>
>
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic See HOW Now with 
> our 20/20 program!
>
> http://www.cenzic.com/c/2020
> --------------------------------------------------------------
> ----------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------