[Owasp-boston] Larry Suto with an updated Application Security Scanner Report

Chris Eng ceng at Veracode.com
Thu Feb 4 14:24:15 EST 2010


Re #3, it’s not quite that simple. You have to factor in the salary of a skilled penetration tester versus a tool operator.  That’s a pretty significant cost differential.



From: owasp-boston-bounces at lists.owasp.org [mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of Javed Ikbal
Sent: Thursday, February 04, 2010 1:10 PM
To: owasp-boston at lists.owasp.org
Subject: Re: [Owasp-boston] Larry Suto with an updated Application Security Scanner Report

Observations:
1. Fully agree that these scanners can not find all the issues on their own test websites. When questioned, one vendor spun it thus: "This means we are not rigging the test"

2. I did not see the point of the debate in 2007 because 90% of users have no clue what to do with these scanners and just point and shoot them. Most training they get is 1 hour with the SE so I am perfectly willing to accept that as the methodology.

3. While purists may not like this, I would have liked to see a price/performance comparison included. Yes, Burp Suite does not support JavaScript and has other problems; but for $200, I contend that for a small company and a skilled user it offers great value

Javed



On 2/4/2010 8:52 AM, Laverty, Patrick wrote:
Has anyone had a chance to read it yet?  Or have opinions on it?  I know last time he released his report (2007), it was widely criticized.

If you haven’t seen it, it is here:
http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf

if you’re worried about a link to a pdf in an email like this, you can see it on this page:
http://ha.ckers.org/blog/20100203/accuracy-and-time-costs-of-web-application-security-scanner-report/

As I am currently in the market for a scanning tool, I’m looking for any and all information from all sources on this sort of thing.

Thanks!

Patrick






_______________________________________________

Owasp-boston mailing list

Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>

https://lists.owasp.org/mailman/listinfo/owasp-boston



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20100204/7562f805/attachment.html 


More information about the Owasp-boston mailing list