First off great bit of work. Its about time marketing crap
is
sliced up like a hot turd it is.
My German is not that great. Can I assume the basic summary
from
page 149 is as follows?
Sanctum / Watchfire could only find 1 in 5 issues or 20%
WebInspect about 6%
Accuntix was so bad it wasn't worth reporting results
All had so many false positives it wasnt funny. This
basicaly
echoes Arian Evans great work presented at OWASP last year
so is
consistent with what I hear from people who have bought
these
things and used them and polar opposite from the marketing
hype.
What I didnt see was a comparison of types of issues ie bugs
and
flaws? I imagine they are basically all at 0% on flaws but
....
so based on this I know where my money is not going on my
renewal
license. I suspected this all along but never knew how to
proove
it.
Again great stuff !
As I had mentioned in another posting to this list some time
ago, a
few months ago I completed a fairly extensive review of
various
tools: AppScan, WebInspect, Acunetix, (note AppScan and
WebInspect
have produced new versions since then), Burp, WebScarab,
Spike
Proxy, and some minor remarks on a few other tools. I used
two
applications as
benchmarks: WebGoat and a proprietary application in
production
use.
The report totals to about 170 pages.
A number of people have expressed their interest in this
report.
Today I have finally attained a publication permit. You can
download the report at http://f
hgonline.fraunhofer.de/server?suche-
publica&num=048.06/D&iese
(that page will give the abstract and bibliographic
information;
click on the red link named "Volltext" to get at
the actual PDF).
However, note that the report is in German. I regret that I
do not
have the time to translate it, but anyone is invited to
volunteer
(and some people already have). If you want to help in
translating,
drop me a line (this applies even to those who already did,
just to
give me an updated picture); I will collect all volunteer
addresses
and distribute them next week, and from then on, you'll be
on your
own.
Kind regards,
Holger Peine
--
Dr. Holger Peine, Security and Safety
Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern,
Germany
Phone +49-631-6800-2134, Fax -1299 (shared) PGP key via
http://pgp.mit.edu ;
fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB
C126 A592 48EA F9F8
------------------------------------------------------------
--------
-----
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business
online
despite security executives' efforts to prevent malicious
attacks.
This
whitepaper identifies the most common methods of attacks
that we
have seen,
and outlines a guideline for developing secure web
applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepa
pers.aspx?id=70130000000
7t9r
------------------------------------------------------------
--------
------
Concerned about your privacy? Instantly send FREE secure
email, no account required
http://www.hushmai
l.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com
?l=485
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment
With the rapid rise in the number and types of security
threats, web
application security assessments should be considered a
crucial phase in
the development of any web application. What methodology
should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701300000007t9h
------------------------------------------------------------
--------------
|