RE: Finally - Curphey award 2004 to SPI Dynamics

["Thomas Ryan" <tommy () providesecurity com>]

It will be interesting to see how well this works.
After testing WebInspect 4.0, I wasn't so impressed.
It missed a lot of possible vulnerabilities during my 15 Day Eval.
WebInspect 4.0 did have excellent reporting features.

It was a decent tool but for $25000 you would expect a lot more.
I also have a feeling that SecureObjects will most likely cost more then
Visual Studio 2003, which may deter small businesses from purchasing the
product.

Also, the product says it will validate web forms. What about QueryStrings
and Cookies?

Is there a beta version that we can test?
I am quite sure that many members on this list would be qualified to test
this product thoroughly.

I know if you are using ASP, PHP or ColdFusion, WebAssist.com has a
validation kit for Dreamweaver. Has anyone tested this?
http://www.webassist.com/Products/ProductDetails.asp?PID=33

Thomas Ryan
Provide Security


> -----Original Message-----
> From: Mads Rasmussen [mailto:mads () opencs com br]
> Sent: Tuesday, June 29, 2004 7:47 AM
> To: Mark Curphey
> Cc: webappsec () securityfocus com; Jeff Williams
> Subject: Re: Finally - Curphey award 2004 to SPI Dynamics
>
> Mark Curphey wrote:
> > Here I am, depressed at the prospect of filling in mountains of
> expense
> > claims from weeks of traveling and approving mundane mails to
> webappsec
> > about XSS after XSS and along comes a shining light. At last an
> "application
> > security" company that gets it ! Hats of to the folks at SPI and the
> Curphey
> > Award for 2004 for leading the industry down the right path !
> >
> > http://biz.yahoo.com/prnews/040628/clm006_1.html
>
> Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp
>
> I don't know about you guys but I have a bad feeling about this. I am
> not sure this is the right path.
>
> The article quotes Caleb Sima, founder and chief technology officer of
> SPI Dynamics saying "It doesn't require developers to learn about
> security," - "You really just need to validate input to eliminate most
> application vulnerabilities."
>
> Shouldn't you at least have a feeling for where the developers makes
> their mistakes to be able to insert the right piece of secure code?
>
> By all means it looks like a cool product, but how much can we trust it?
>
> One of its features is, qoute
> "Input Validation objects will check incoming data on web forms to
> validate user-supplied input against a set of rules and prevent
> parameter manipulation exploits, such as SQL Injection attacks."
>
> Can we trust these "set of rules".
> If they opened their technology, the OWASP team could contribute rules
> to such a database and then we just might get somewhere by having a list
>
> of f.ex regular expressions for using the validator classes in .Net or
> input validation in general but that would probably not happen.
>
> I am concerned that products like this just leads to lazy developers.
>
> Jeff what do you think about this? You wanted to start an input
> validation project based on filters, a database like described above
> would be quite handy :o)
>
> Just my two bits
>
> --
> Mads Rasmussen, M.Sc.
> Open Communications Security
> www.opencs.com.br
> +55 11 3345 2525