RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners

["Joseph Peloquin" <jpelo1 () jcpenney com>]

|-----Original Message-----
|From: Jeff Robertson [mailto:jeff.robertson () digitalinsight com] 
|Sent: Thursday, August 24, 2006 7:09 AM
|To: enis.karaarslan () ege edu tr; Evans, Arian; rwp () gmx de
|Cc: websecurity () webappsec org; webappsec () securityfocus com
|Subject: RE: [WEB SECURITY] RE: Environment for testing WebApp 
|Security Scanners
|
|
|"Real-life" programs meaning applications intended for actual 
|use, not just for security benchmarking? Wouldn't you want to 
|fix the vulns you find in those, thereby ruining their value 
|as benchmarks?

More like, "real life", meaning they are written *like* programs
intended for actual use, but are used for security benchmarking instead.
As in, nobody would ever deploy a "real" webapp that looked like webgoat
(which is a poor benchmarking tool as well).

I haven't looked at the apps yet, but surely a disclaimer says something
to the effect of, "you're a complete moron if you deploy these apps for
use in a production environment."

-jp

Attachment: Signature.txt
Description:

Attachment: ATT00070.txt
Description:

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose 
AppScan then any other solution. Try it today!
  
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------