[WEB SECURITY] Security Audit Software

dpw dainw at fsr.com
Wed Jun 22 17:07:09 EDT 2005


Thanks a lot- this is a great help!

Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net


-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: Wednesday, June 22, 2005 2:02 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Security Audit Software


 From time to time this question comes up and inevitably leads to a  
long thread listing a few tools per post. Directly addressing the  
topic, Arian from Fishnet Security released a presentation that  
includes a very complete list of tools.

"Application Security Assessment Tools: An Overview of Available  
Testing Tools "
http://www.owasp.org/docroot/owasp/misc/OWASP_UK_2005_Presentations/ 
AppSec2005-Arian_Evans-AppSec_Assessment_Tools.ppt

I pulled out two of the lists and pasted them below. Hopefully we  
don't have to list out the tools in multiple threads anymore and can  
instead focus on our experiences with them instead.

I believe Arian was going to post this data on a web page somewhere,  
but I don't know if he got around to it yet. It would be good if we  
could just post a URL next time as well.



Commercial Fault Injection Test Tools:

WebInspect by SPI Dynamics
AppScan by Watchfire
Scando by Kavado
AppDetective by AppSecInc
Hailstorm by Cenzic
NTOSpider by NT Objectives
Web Vulnerability Scanner 2 by Acunetix
DevPartner Fault Simulator by Compuware
Fortify Pen Testing Team Tool
Web Proxy 2.0 by @stake
  Burp Intruder
Web Sleuth by Sandsprite
  MaxPatrol 7
  Syhunt Sandcat Scanner & Miner
  HTTPExplorer by TrustSecurityConsulting
BlueGreen Inspector by  Ecyware
Typhon by NGS
  Parasoft WebKing (more QA-type tool)


Open Source or Freeware Fault Injection Test Tools:

WebScarab (HTTPush, Exodus)
Paros Proxy
Burp Spider
Burp Proxy
SPIKE Proxy
SPIKE
Achilles Proxy
Odysseus Proxy
Webstretch Proxy
Absinthe 1.1 (formerly SQLSqueal)
NGS SQL Injection Inference Tool (BH Europe 2005)
Internet Explorer HTMLBar Plugin
Firefox LiveHTTPHeaders and Developer Tools
Sensepost Wikto (Google cached fault-finding)
Foundstone Sitedigger (Google cached fault-finding)







On Jun 22, 2005, at 1:35 PM, dpw wrote:

> Howdy everyone,
>
> I need to research and hopefully purchase some software to help us  
> evaluate
> and test the web apps we develop. I realize that the readers of  
> this list
> are immeasurably more qualified to identify the strengths /  
> weaknesses of
> these kinds of software than I am, and hope someone out there can  
> give me
> some useful insight.
>
> SPI Dynamics is so far the only software on my radar for this  
> purpose, but
> does anyone else have recommendations for security auditing  
> software they
> trust? Alternatively - does anyone own / use SPI Dynamics'  
> software, and do
> you feel that it's worth a purchase?
>
> Thanks in advance,
> Dain White
> Senior Developer - Webmaster
> First Step Internet, L.L.C.
> www.fsr.com | www.fsr.net
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list