[unisog] Summary of responses to query regarding web vulnerable assessment scanners and consultants

Morrow Long morrow.long at YALE.EDU
Wed Mar 5 23:44:32 GMT 2008


WebInspect and Appscan were used in an even # of institutions  
according to the query's respondents.

Appscan had comments such as  more complete, better reporting,  but  
WebInspect was also liked by many who used it.

Acunextix, Nexpose and Nstalker were mentioned also.  Some  
institutions are using multiple tools as well as both
automatic scanning, code reviews, security design, network penetration  
tools, consultants, manual assessment &
semi-manual tools such as Paros, Web Scarab, etc.

There were 19 responses to my query to the Educause Security list,  
UniSOG, and the IVY+ InfoSec lists which
directly addressed tools used.  There were very few responses  
regarding hiring firms and consultants to do the
work.  Many good points were made that the commercial scanners have  
many false positives and negatives
(can produce a lot of output that has to be verified and don't find  
every vulnerability/exposure) and that manual
scanning/assessments of web applications are much better and accurate  
(though labor/time/$ intensive).

The overwhelming majority of responses were on the Educause Security  
list and the thread eventually went
into other areas. Here is the distilled count:

     Commercial software:

	7 Schools use WebInspect
	7 Schools use IBM's WatchFire AppScan
	2 Use Acunetix
	2 Use Nexpose
	1 Use Nstalker

     Open Source Tools:

	Many using Web Scarab,  Paros and other manual, semi-manual tools.

Paraphrased comments:

	We use WebInspect - like it.
	Auditors licensed WebInspect several years ago. tFrom Steve Stines.
	Use IBM Watchfire + peer review + std practices.  Call ktriley at berkeley.edu 
	WebInspect - valuable for security & QA. Vuln Desc detailed & good  
  	Both WebInspect and Appscan are licensed and good.
	WebInspect - like it.
	using nstalker for the past couple of years & generally pleased
	Appscan (more complete) and Nexpose (more user friendly, better rpt)
	Web Inspect - decent.  All products have many false pos & neg. Manual  
	Developers use Web Scarab (a semi-manual/auto tool) & are happy.
	WebXM/AppScan - solid and getting better. 250 developers use it.
	Use Accunetix,Core Impact, Web Scarab, Paros in combination.
	Appscan: pleased, chosen via bake-off. Understandable rpts by  
	Acunetix- primary tool, very decent results at competitive price.
	 AppScan and WebInspect similar.  Better is manual with WebScarab.
	Manual assessment using Paros, Web Scarab,
	Security Design Reviews, Code Reviews and manual testing are best.
	using IBM Relational AppScan - reports good for developers
	Uses WebInspect, but evaluating and looking to use Nexpose also.

CCCCCcCredits (Participants):

	Notre Dame, Gary Dobbins
	U Penn, Dave Millar	
	UC Berkeley, Bill Allison		
	U Pittsburgh, Kevin Johnson
	U Colorado Bouler, Brad Judy
	Northwestern, Roger Safian
	UNC Charlotte, Carter Heath
	Columbia, Joel Rosenblatt
	KU School of Arch, Dave Hull
	U of Auckland NZ, Russell Fulton
	UT Austin, Cam Beazley	
	VT.EDU, Randy Marchany
	Penn State, Kathy Kimball	
	U IOWA, Samuel Petreski	
	UNC, Alex Everett		
	SIU.EDU, Curt W		
	MTSAC, Darwin Macatiag		
	Princeton, Anthony Scaturro	
	CMU.EDU, Doug Mariewicz	

H. Morrow Long
University Information Security Officer
Director -  Information Security Office

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20080305/8b7149fa/attachment.htm 

More information about the unisog mailing list