[WEB SECURITY] Need a vulnerable XML Web Service

Ory Segal SEGALORY at il.ibm.com
Thu Jun 10 03:00:01 EDT 2010


Hey,

For this I say - 

At least Larry Suto had the balls to actually sit, research and publish 
such results, instead of just throwing non-substantiated claims.

I have ran these so called "free" products on many real-world 
applications, and trust me, they might be working better on some test 
applications (I doubt it), but they sure can't handle real world apps.

Hey - I might be wrong (as Larry proved a few times), but at least, using 
Suto's results, I can improve my product. This is definitely not the case 
with your approach.

-Ory 
-------------------------------------------------------------
Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory at il.ibm.com 




From:   Andre Gironda <andreg at gmail.com>
To:     websecurity at webappsec.org
Cc:     Jim Manico <jim at manico.net>, Ory Segal/Haifa/IBM at IBMIL, 7Lyrix 
<7lyrix at gmail.com>, "Arian J. Evans" <arian.evans at anachronic.com>, Arshan 
Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>, Nilesh Bhosale 
<nilesh at gslab.com>, Tom Stripling <tstripling at appsecconsulting.com>
Date:   10-06-2010 02:10 AM
Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service



On Wed, Jun 9, 2010 at 2:24 PM, Jim Manico <jim at manico.net> wrote:
> Do you think raw scanning engine technology has hit a plateau? Or could 
it be that the cost to innovate scanning engines beyond today's state of 
the art is getting prohibitive?

Jim,

Do you think investors of research projects for commercial app
scanners should continue their current strategy, or should it be
changed?

If you were responsible for scan engine technology for an app scanner
at one of the following companies, would you invest in the current
model -- or would you try something completely different such as
Fortify's approach with PTA and RTA?

HP Software
IBM Watchfire
Acunetix
NTOBJECTives
Cenzic
Qualys
WhiteHat Security

These vendors, IMO, have all failed to deliver quality products that
constantly push the envelope. Instead, their "scan engine technology"
is all but replaced by cheap ($200-$3000/year/person, unlimited use)
products such as Burp Suite Professional and Mavituna Security
Netsparker Pro.

Look at the Wivet (wivet.googlecode.com) results. Look at the
SQLiBENCH (sqlibench.googlecode.com) results. Run all of those
scanners in crawl-only mode through Casaba x5s and see how many HTML
injections you get from one scanner to the next. Guess who comes out
on top? The cheapest commercial products, especially Burp Suite Pro
and Netsparker Pro. To add to that fire, Burp Suite Free Edition and
Netsparker Community Edition also blow the other commercial products
away.

What else is left to say? The free scanning engines (that are tied to
the cheapest products in the appsec space) are better than the
expensive, commercial scanning engines. The above 7 vendors can't and
won't get their acts together. They have had their time. That time is
now over.

Thoughts?

Andre

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/3d5aff2b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/3d5aff2b/attachment.gif>


More information about the websecurity mailing list