WebApp Sec mailing list archives

RE: Spi's products worth a try? Or any suggestions for developers' tool?

From: "Ory Segal" <osegal () watchfire com>
Date: Tue, 8 Nov 2005 11:09:52 +0200

"fairly advanced AI", Yea right :-)

-----Original Message-----
From: App Master [mailto:appmasterzero () hotmail com] 
Sent: Monday, November 07, 2005 11:05 PM
To: araheja () techquotes com
Cc: webappsec () securityfocus com
Subject: Re: Spi's products worth a try? Or any suggestions for
developers' tool?

Aman,

Cenzic's Hailstorm has also recieved great reviews. In my experience its
the most accurate tool available for auditing a web application for
security vulnerabilities. Gives you lots of control. It would  be very
useful for your developers to use to scan their applications. Hailstorm
itself doesn't do source code scanning, but it excells in statefully
testing a web application for vulnerability, and in this regard, you
fill find its results reliable and second to none.

Please allow me to explain:

When you manually test an application, its time consuming, but it has
the advantage of greater accuracy than you ordinarily get out of an
ordinary off-the-shelf "App Scanner."  You see, a lot of security
products are just like machine guns that fire strings at an application
and then grep the HTML for another response string.  This is the reason
that after you run them it takes so long to verify if the results are
correct or not, because its mostly pure signature matching -- stateless
-- of raw HTML and server response codes, without any visibility as to
what is occuring in the browser (at the application level), or if the
application is causally or statefully affected by injected values.

Hailstorm does it differently, using what you might think of as active
payloads. It monitors what each injected payload does and then monitors
browser memory (it uses a baked-in version of Mozilla) to trap when code
or events execute in the application space as a result of its actions.
This is a world of difference between other black-box tools. Hailstorm
also uses fairly advanced AI when it comes to analyzing server behavior:
heuristics, causal and behavior triggers, a significant number of
configuration options for advanced tuning. I like it because it gives me
better, more accurate, more actionable, results. Period. I am certain it
would benefit your team.

Check it out at: www.cenzic.com

Thanks

Appman Zero

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from
McAfee(r) Security.
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Current thread:

Re: Spi's products worth a try? Or any suggestions for developers' tool? App Master (Nov 07)
- Re: Spi's products worth a try? Or any suggestions for developers' tool? bugtraq (Nov 08)
- <Possible follow-ups>
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Peine,Holger (Nov 08)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Ory Segal (Nov 08)