[WEB SECURITY] Need a vulnerable XML Web Service

Ory Segal SEGALORY at il.ibm.com
Thu Jun 10 04:07:48 EDT 2010 

>> You and many others should realize that because app scanning is not
the way that quality or dev-testing is done, then it should also not
be the way that application security testing is done.

Can you elaborate a bit on your view of how the process should take place?

-Ory



-------------------------------------------------------------
Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory at il.ibm.com 




From:   Andre Gironda <andreg at gmail.com>
To:     websecurity at webappsec.org
Cc:     Ory Segal/Haifa/IBM at IBMIL, Jim Manico <jim at manico.net>
Date:   10-06-2010 10:42 AM
Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service



On Thu, Jun 10, 2010 at 2:00 AM, Ory Segal <SEGALORY at il.ibm.com> wrote:
> At least Larry Suto had the balls to actually sit, research and publish 
such results, instead of just throwing non-substantiated claims.
> I have ran these so called "free" products on many real-world 
applications, and trust me, they might be working better on some test 
applications (I doubt it), but they sure can't handle real world apps.
> Hey - I might be wrong (as Larry proved a few times), but at least, 
using Suto's results, I can improve my product. This is definitely not the 
case with your approach.

You are correct. This is not a study on app scanners. I will not
prepare such a study. Don't expect that from me.

You and many others should realize that because app scanning is not
the way that quality or dev-testing is done, then it should also not
be the way that application security testing is done. The
"improvement" or solution is to stop app scanning and to stop
purchasing app scanners.

App scanners came about because of network vulnerability scanners,
which came about because the security product industry is a laughable
joke -- starting out with network firewall products and anti-virus
system scanners and taking those concepts way too far...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/c52407ba/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/c52407ba/attachment.gif>

More information about the websecurity mailing list