From: Bill Pennington (billp@boarder.org)
Date: Mon Oct 06 2003 - 12:08:24 EDT
Hey Mark good question.
Full Disclosure I am the CTO of a company that offers web application
assessment services (aka managed web application assessments) so I
might be a bit biased. :-)
The industry is really split into 3 camps tool vendors (SPI, Sanctum,
Kavado etc..), Consulting companies (@stake, Guardent, Foundstone...)
and Managed Web assessment services (WhiteHat Security, Siegeworks).
First lets take a look at the web app. security problem from a 50,000
foot level. The problems found in web applications fall loosely into 2
categories technical and logical. The technical vulnerabilities are
generally easy to check for with a tool and include issues like SQL
Injection, Cross Site Scripting, Directory Traversal, etc... The
Logical vulnerabilities are issues centering around the the logic of
the application itself and generally present themselves in multiple
step processes. A good example of a logical vulnerability would be the
HotMail password reset issue uncovered earlier this year. It usually
takes a human to uncover these types of issues.
The tool companies will tell you to just grab there tool plug it into
your System Development Life-cycle and you are good to go. While this
is certainly a good practice it really does not solve the entire web
app. security problem. Tools only find technical vulnerabilities. Tools
also rely almost completely on error messages to detect
vulnerabilities. The first thing a web application assessment is going
to tell you is to turn off the error messages, making tools much less
effective. Tools also have a tendency to generate a massive amount of
false positives and do you really what your developers or QA people
spending time tracking down whether or not the 200 Cross Site Scripting
vulns. the scanner just reported or real or false?
Scanners run between $5,000 to $15,000.
The consulting companies are a mixed bag. Many do not use any automated
tools at all making them not very through. The level of experience you
get can vary wildly as web app. security is a relatively young
discipline in the security world. If you find the right consultant the
issue then becomes can you afford to keep bringing them back? By this I
mean almost all web applications change at least once a month, many
change daily. Every change has the potential to add a new vulnerability
to your site no matter how good your developers are, everyone makes
mistakes.
Consultants $10,000 - $100,000 per assessment (generally 1 - 2 weeks in
duration.
Managed Web Assessment Services (MWAS) are somewhat new. I am obviously
biased here so I will be brief. MWAS has multiple advantages. 1.
Automated tools to be as through as possible. 2. Backed by humans to
eliminate false positives and to test for logical application issues.
3. Delivered over time so that your application is continually being
tested while changes are rolled out.
MWAS - $24,000 and up per year.
We have a pretty good Powerpoint on our site outlining this in a bit
more detail.
http://www.whitehatsec.com/ppt/WhiteHat_Blackhat_Federal_2003_v1.6.ppt
On Monday, October 6, 2003, at 07:50 AM, Lachniet, Mark wrote:
> Hello all,
>
> Please forgive the cross-posting. I was wondering if anyone could
> comment on how they have seen web application security analysis work
> priced. By this, I do not mean the typical vulnerability assessment,
> but an assessment of the ASP/SQL code - looking for SQL injections, for
> example. I'm curious to hear from both consultants who offer the
> services, and managers who have purchased it. Also, if this was
> largely
> automated (using SPI or Sanctum for example) or if there was a lot of
> hands-on analysis by a skilled tester.
>
> It seems that the industry is somewhat inconsistent in this regard,
> which makes it difficult for organizations to select the most
> appropriate service for their needs. If I get sufficient responses, I
> will try to summarize the comments.
>
> Thanks,
>
> Mark Lachniet
>
> -----------------------------------------------------------------------
> ----
> Tired of constantly searching the web for the latest exploits?
> Tired of using 300 different tools to do one job?
> Get CORE IMPACT and get some rest.
> www.coresecurity.com/promos/sf_ept2
> -----------------------------------------------------------------------
> -----
>
>
--- Bill Pennington, CISSP, CCNA Chief Technology Officer WhiteHat Security Inc. http://www.whitehatsec.com --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT