[Owasp-boston] Larry Suto with an updated Application Security Scanner Report

Javed Ikbal javed at zsquad.com
Thu Feb 4 14:30:43 EST 2010


Right. Which is why I said "for a small company and a skilled user"

Regards

Javed

On 2/4/2010 2:24 PM, Chris Eng wrote:
>
> Re #3, it’s not quite that simple. You have to factor in the salary of
> a skilled penetration tester versus a tool operator.  That’s a pretty
> significant cost differential. 
>
>  
>
>  
>
>  
>
> *From:* owasp-boston-bounces at lists.owasp.org
> [mailto:owasp-boston-bounces at lists.owasp.org] *On Behalf Of *Javed Ikbal
> *Sent:* Thursday, February 04, 2010 1:10 PM
> *To:* owasp-boston at lists.owasp.org
> *Subject:* Re: [Owasp-boston] Larry Suto with an updated Application
> Security Scanner Report
>
>  
>
> Observations:
> 1. Fully agree that these scanners can not find all the issues on
> their own test websites. When questioned, one vendor spun it thus:
> "This means we are not rigging the test"
>
> 2. I did not see the point of the debate in 2007 because 90% of users
> have no clue what to do with these scanners and just point and shoot
> them. Most training they get is 1 hour with the SE so I am perfectly
> willing to accept that as the methodology.
>
> 3. While purists may not like this, I would have liked to see a
> price/performance comparison included. Yes, Burp Suite does not
> support JavaScript and has other problems; but for $200, I contend
> that for a small company and a skilled user it offers great value
>
> Javed
>
>
>
> On 2/4/2010 8:52 AM, Laverty, Patrick wrote:
>
> Has anyone had a chance to read it yet?  Or have opinions on it?  I
> know last time he released his report (2007), it was widely criticized. 
>
>  
>
> If you haven’t seen it, it is here:
>
> http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf
>
>  
>
> if you’re worried about a link to a pdf in an email like this, you can
> see it on this page:
>
> http://ha.ckers.org/blog/20100203/accuracy-and-time-costs-of-web-application-security-scanner-report/
>
>  
>
> As I am currently in the market for a scanning tool, I’m looking for
> any and all information from all sources on this sort of thing.
>
>  
>
> Thanks!
>
>  
>
> Patrick
>
>  
>
>  
>  
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-boston
>   
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20100204/b9454e03/attachment-0001.html 


More information about the Owasp-boston mailing list