[unisog] Summary of responses to query regarding web vulnerable assessment scanners and consultants
morrow.long at YALE.EDU
Wed Mar 5 23:44:32 GMT 2008
WebInspect and Appscan were used in an even # of institutions
according to the query's respondents.
Appscan had comments such as more complete, better reporting, but
WebInspect was also liked by many who used it.
Acunextix, Nexpose and Nstalker were mentioned also. Some
institutions are using multiple tools as well as both
automatic scanning, code reviews, security design, network penetration
tools, consultants, manual assessment &
semi-manual tools such as Paros, Web Scarab, etc.
There were 19 responses to my query to the Educause Security list,
UniSOG, and the IVY+ InfoSec lists which
directly addressed tools used. There were very few responses
regarding hiring firms and consultants to do the
work. Many good points were made that the commercial scanners have
many false positives and negatives
(can produce a lot of output that has to be verified and don't find
every vulnerability/exposure) and that manual
scanning/assessments of web applications are much better and accurate
(though labor/time/$ intensive).
The overwhelming majority of responses were on the Educause Security
list and the thread eventually went
into other areas. Here is the distilled count:
7 Schools use WebInspect
7 Schools use IBM's WatchFire AppScan
2 Use Acunetix
2 Use Nexpose
1 Use Nstalker
Open Source Tools:
Many using Web Scarab, Paros and other manual, semi-manual tools.
We use WebInspect - like it.
Auditors licensed WebInspect several years ago. tFrom Steve Stines.
Use IBM Watchfire + peer review + std practices. Call ktriley at berkeley.edu
WebInspect - valuable for security & QA. Vuln Desc detailed & good
Both WebInspect and Appscan are licensed and good.
WebInspect - like it.
using nstalker for the past couple of years & generally pleased
Appscan (more complete) and Nexpose (more user friendly, better rpt)
Web Inspect - decent. All products have many false pos & neg. Manual
Developers use Web Scarab (a semi-manual/auto tool) & are happy.
WebXM/AppScan - solid and getting better. 250 developers use it.
Use Accunetix,Core Impact, Web Scarab, Paros in combination.
Appscan: pleased, chosen via bake-off. Understandable rpts by
Acunetix- primary tool, very decent results at competitive price.
AppScan and WebInspect similar. Better is manual with WebScarab.
Manual assessment using Paros, Web Scarab,
Security Design Reviews, Code Reviews and manual testing are best.
using IBM Relational AppScan - reports good for developers
Uses WebInspect, but evaluating and looking to use Nexpose also.
Notre Dame, Gary Dobbins
U Penn, Dave Millar
UC Berkeley, Bill Allison
U Pittsburgh, Kevin Johnson
U Colorado Bouler, Brad Judy
Northwestern, Roger Safian
UNC Charlotte, Carter Heath
Columbia, Joel Rosenblatt
KU School of Arch, Dave Hull
U of Auckland NZ, Russell Fulton
UT Austin, Cam Beazley
VT.EDU, Randy Marchany
Penn State, Kathy Kimball
U IOWA, Samuel Petreski
UNC, Alex Everett
SIU.EDU, Curt W
MTSAC, Darwin Macatiag
Princeton, Anthony Scaturro
CMU.EDU, Doug Mariewicz
H. Morrow Long
University Information Security Officer
Director - Information Security Office
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog