RE: RE: Application Assessment

From: Ory Segal (osegal@watchfire.com)
Date: Sat Aug 13 2005 - 11:02:50 EDT


Hello,

I would like to speak on behalf of my company (Watchfire). I wouldn't usually address such a thread, but since the things that were mentioned were basically incorrect, I thought it would be best to respond.

Watchfire has a very large team dedicated to AppScan's development. It is the company's top priority. We put out a significant new release last September and the next one will be coming soon.

You are invited to test the product(s) for yourself to decide which is best.

-Ory Segal/Watchfire

-----Original Message-----
From: Kyle Starkey [mailto:kstarkey@siegeworks.com]
Sent: Friday, August 12, 2005 10:39 PM
To: RUI PEREIRA - WCG; jcreyes@etb.net.co
Cc: pen-test@securityfocus.com; Webappsec
Subject: Re: RE: Application Assessment

I would suggest against the appscan product unless you want to use their developers addition for pre compiled code... There has been very litle r&d time/dollars being allocated to this product in the past 24 months and as such it has lagged behind in functionaliy by comparison to the webinspect product.. If you only have budget for one tool I would suggest webinspect over the others...

On Fri, 12 Aug 2005 1:32 pm, RUI PEREIRA - WCG wrote:
> Juan,
>
> Approx 1 year ago we did an evaluation between Appscan, Kavado,
> WebInspect and AppDetective. We chose WebInspect for the range of
> vulnerabilities tested for, the granularity of test selection, the
> flexibility of use, etc. Contact me offline if you want more detail on
> our selection process.
>
> Thank You
>
> Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA Principal Consultant
>
> WaveFront Consulting Group
> Certified Information Systems Security Professionals
>
> wavefront1@shaw.ca | 1 (604) 961-0701
>
>
> ----- Original Message -----
> From: Juan Carlos Reyes Muñoz <jcreyes@etb.net.co>
> Date: Friday, August 12, 2005 8:26 am
> Subject: RE: Application Assessment
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Allen,
>>
>> One question... have you ever tried Watchfire's Appscan? If so,
>> which tool could be better between Appscan and Webinspect?
>>
>> Juan Carlos Reyes Muñoz
>>
>> GIAC Certified Forensic Analyst - SANS Institute Consultor de
>> Seguridad Informática
>>
>> Cel. (57) 311 513 9280
>>
>> Miami Mailbox
>> 1900 N.W. 97th Avenue
>> Suite No. 722-1971
>> Miami, FL 33172
>>
>> Las opiniones expresadas en esta comunicación son enteramente
>> personales. De igual manera, esta comunicación y todos sus datos
>> adjuntos son confidenciales y exclusivamente para el destinatario.
>> Si por algún motivorecibe esta comunicación y usted NO es el
>> destinatario, hágamelo saber respondiendo a este correo y por favor
>> destruya cualquier copia del mismo y de los datos adjuntos. Por
>> favor tambien trate de olvidar cualquier cosa que haya leido en
>> esta comunicación, excepto en esta parte. Está prohibido cualquier
>> uso inadecuado de esta información, así como la generación de
>> copias de este mensaje. Gracias.
>>
>> The contents and thoughts included in this e-mail are completely
>> personal.This e-mail message and any attachments are confidential
>> and may be privileged. If you are not the intended recipient, please
>> notify me immediately by replying to this message and please destroy
>> all copies of this message and attachments. Please also try to
>> forget everything you have read that was contained in this E-Mail
>> message, except this part.
>> Misuse,copying and redistribution of this e-mail are forbidden.
>> Thank you.
>>
>> > -----Mensaje original-----
>> > De: Brokken, Allen P. [BrokkenA@missouri.edu] > Enviado el:
>> Jueves, 11 de Agosto de 2005 01:43 p.m.
>> > Para: Glyn Geoghegan; goenw
>> > CC: pen-test@securityfocus.com; Webappsec > Asunto: RE:
>> Application Assessment > > I am a Security Analyst for the
>> University of Missouri - Columbia Campus.
>> > I came from a systems administration background, and in the past
>> 18 months
>> > have been tasked with application security as just part of a
>> greater > Information Systems Auditing program.
>> >
>> > I personally have used
>> >
>> > SpikeProxy from www.insecure.org
>> > Paros, mentioned by others
>> > and evaluated a handful of other Proxy/Automated Attack Methods.
>> >
>> > However, the best tool I've seen and the one we finally purchased
>> is > WebInspect from SPI Dynamics > http://www.spidynamics.com >
>> > I did some independent test between SpikeProxy and WebInspect on
>> the a few > different applications. With SpikeProxy it took
>> basically 1 working day > to run the tool, and verify false
>> positives, look up good references for > the vulnerabilities and
>> write the report. The same application with > WebInspect took
>> approximately 15 minutes of my time to configure, and > generate
>> the final report while taking about 2 hours to actually run >
>> without my intervention. It typically found 20% more
>> vulnerabilities than > I could find by the more manual method with
>> SpikeProxy, and produced > extensive reports that not only explained
>> the vulnerabilities, but gave > code references the developers
>> could use to fix their problem.
>> >
>> > Those were results I got prior to training. I got some extensive
>> training > with the tool and on web application testing in general
>> at Security-PS > http://www.securityps.com. They are a
>> Professional Application Security> auditing company and they use
>> this as their core tool because of both the > accuracy of the tool
>> and the responsiveness of the company. In the > training I got to
>> learn how to effectively use the a whole suite of tools > including
>> a Web Brute force attacker, SQL Injector, Proxy, Encoders / >
>> Decoders, and Web Service assessment tools to name a few.
>> >
>> > The tool is a little pricey, but I work with litterally dozens of
>> campus > departments and have evaluated LAMP, JAVA/ORACLE,
>> ASP.NET/SQL Server and > even VBScript/Access systems with the
>> WebInspect Suite of tools.
>> The #1
>> > comment I get from the developers is how helpful the report was in
>> > correcting their code. For that broad spectrum of coding
>> enviroments I > couldn't possibly provide code level help to the
>> developers without this > product.
>> >
>> > We've been using it now for almost a year and the responsiveness
>> of their > Sales and Technial staff has been extreme. I haven't had
>> a single issue > that wasn't resolved in less than 24 hours. I've
>> also gotten a lot of > support from their sales staff regarding
>> application security awareness> for our campus developers in
>> general.
>> >
>> > One last thing to mention is the updates. I have never seen a
>> tool that > is so consistently updated. I have run 2 or 3
>> assessments in the same day > and had updates for new
>> vulnerabilities made available each time I ran the > tool. If a
>> week goes by without using it there can be litterally 100's of >
>> new signatures it needs to add to the list.
>> >
>> > If you have more questions and want to talk offline I'd be happy
>> to answer > them.
>> >
>> > Allen Brokken
>> > Systems Security Analyst - Principal > Univeristy of Missouri >
>> brokkena@missouri.edu
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.0.1 (Build 2185)
>> Comment: Mensaje Seguro, Enviado por Juan Carlos Reyes M.
>>
>> iQIVAwUBQvy/k4ElKqNdrUwNAQgxhw//c/aBxhmWEZl5lisTuM4YjV7VL5ikWCzr
>> OwwfVoV+dnAzYSio55zhGidKLh/kU9A12WdWz6a77xSZyPmsf0mVszyN0cYuf24A
>> /jtxb9GRAdlyLii1r38FdQ2BKCl3/Wydd2Q5seyukNZMg5QggdtSPMyKwF4pkehD
>> 7Z6Hb/M+bQjJN7zyn8L/94Kr0LJU8GK8AWCO4XB+yku5ndUOmcWF+XJrClx3qUSO
>> FWj75d+fasRXuM8/Z9bBeCfvDlhuTh01afa68Mz2aO5uOoCooDvsAa0S9q6gre8e
>> TDzl8okWMzudyKdJrbkW5JPb3SGvtAvcsfdRKX+qv4dbhxFnbKncghhwMgBY+2ua
>> uZ8nieMtvjTbpPNev0VQe7nDCD0XPR6Ft9Ty1DddYY9SbIOoJAYR0oQ50zBi769i
>> Eq0CD8++Hf4oqrBHZEkIMsotNYVTEjOcdbiP9lqd/efZ0Tcl5pZKP8qqGcUF1/D4
>> OUpq4JEM/N3iw0dTBPLnvIcHftE6Ou/VJAr8EFjUAw++9LBcwXKd9U5q+1j2ysBo
>> ELRd+wpTz5dTc73nQeTjA8MNJspO82JHf8C/c0f89OlKMgDx8fcnwcV+FL8L52Od
>> /KITItOoltULIhvFoHHWK23mWibJffu4XMN00YAwTzlC09iQMUZisdX+Jju6gsz5
>> Eyk0+jWqQCg=
>> =L/PW
>> -----END PGP SIGNATURE-----
>>
>
>
> ----------------------------------------------------------------------
> -------- FREE WHITE PAPER - Wireless LAN Security: What Hackers Know
> That You Don't
>
> Learn the hacker's secrets that compromise wireless LANs. Secure your
> WLAN by understanding these threats, available hacking tools and
> proven countermeasures. Defend your WLAN against man-in-the-Middle
> attacks and session hijacking, denial-of-service, rogue access points,
> identity thefts and MAC spoofing. Request your complimentary white paper at:
>
> http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
> ----------------------------------------------------------------------
> ---------
Kyle Starkey
Senior Security Consultant
SiegeWorks
Cell: 435-962-8986

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:45 EDT