My buddy rsnake over at Ha.ckers.orgposteda report from Larry Suto about tests he performed on web application scanners and comparing how well they cover a web applications code base.
The report is intesting on many fronts, one of which is the fact that the tool I help build at NT OBJECTives came out on top, but also because its the first type of review thats looking at a statistic that really compares scanners in a quantifiable way.
Some comment on the site from users of the other products or from the vendors themselves have made the claim that web scanners are not designed to be “point and shoot” as they say, and that a human should be training the scanner to each web app. I think they are doing users a disservice to work from that assumption.
A scanner should do as much as it can on its own, and let humans do their own pen testing, and/or help point pen testers to areas of interest. If your a organization with hundreds or thousands of web apps that need testing, do you really have the man power to teach your “automated web scanner” how to test each of those apps?
Do you really have time to spend clinking on every link, and filling out every form on a website with some 3000+ pages, or do you want the scanner that does the best job of doing all of this for you?
For all the details, check out the changelog but this is one release that cleans up a ton of mess and adds in support for full integration with the Podango API.
Theres still a few tiny features I want to add in, but its in good shape, and I need sleep so I can run off to the Podcast Expo in a few hours.
UPDATE - Bug in this version… of course, so hang on for next release due out in a few hours
As many of you have seen, I have a “Hackme” site setup to go along with my podcast, and specifically for the Hands On Series podcasts. Well the current king of Web App Security blogging has setup a couple hackerchallenges on his site. The ones on my site are really focused toward teaching, the ones on ha.ckers.org are setup for the fun, challenge and bragging rights.
I have had the mis-fortune of being completely swamped in work during the start of these last two, but when the third is up, Im cleaning my calender, turning off cell phones and ignoring any unnecessary chats so I can beat it as quickly as possible and get listed in the top ten. Knowing rSnake, I may decide to put together a small MightySeek team to work together to increase our chances, but I will see how it plays out.
Theres been alot of discussion lately about an issue thats near and dear to my heart. The capabilities and of web application security scanning is something I have been living and breathing for about 5 years with NT OBJECTIves. AT NTO I lead the development and research teams involved in building our own scanner called NTOSpider, and have been trying to increase what is possible to test for in an automated tool.
This is a really difficult and challenging issue, with a bunch of issues that are fuzzy at best. I have high hopes that the WASSEC Project thats being hosted by the Web Application Security Consortium, because its going to bring a bunch of us from the app sec tool vendor space and the web app sec community together to discuss the issue and attempt to come up with a good reference document for the ways to evaluate scanners.
I’m curious how we will be able to come up with any consensus, but with any luck and some hard work and compromise I think this could be a turning point to helping public understanding of this issue.
I had a pretty interesting day yesterday.
After being up till close to 2am I woke up at 5:30am, showered and drove to the airport to do my 10am talk at WordCamp 2007.
My flight landed at 8:30am and I was picked up by my old buddy Joe Engo. After a couple wrong turns we finally got to the event location at 9:30 in time to get setup.
I finally had a chance to meet Matt Mullenweg, and was thoroughly impressed, this is one young man to watch. To think that at 23, hes at the head of a project thats impacted so many people, and has gained so much interest and respect, and has managed to build a business model around an open sourced app… no easy feat.
So then it sets in. I’m the opening presenter to this conference… I’ve really been too busy to have thought much about my talk at WordCamp the preceding couple of weeks because work has been crazy busy. But standing there getting setup to open the conference I got a bit nervous. Its also been a couple years since doing one of these types of things, so I really started feeling completely unprepared.
Matt introduces me and I ask the audience a few questions about whos familiar with podcasting (everyone) and how many podcasters are out there (a few). Well, this kind of took some thunder out of my slides intended to be used to help explain podcasting basics. I had to think quick to adjust my talk and explain my views of how I feel podcasting to be a little more personal and blah blah. Was a bit of a slow start.
So I figured I could launch into the stuff about podPress and show of the features and talk some praise of WordPress, which I started… and then the Internet connection went dead. Just as I was starting to feel a little comfortable…
With some quick action by the Automattic team I got back online and was quickly followed by the audience and was able to start cracking some lame jokes and getting into a groove about podPress, podcasting and WordPress.
Even with the slow start, I felt like I was finally able to connect and coherently discuss some of the things I am passionate about, and hopefully show how easy it is to get into podcasting, the cool features of podPress and the amazing platform WordPress provided that enabled me to create the feature set. The talk was video taped, so as soon as I get a copy of the video I will be adding the media to this post so it will end up in my feed as a video podcast.
As soon as my talk was over, I chatted with a few people in the lobby for about half and hour, and then headed to the airport to get back home. Next year, as a speaker or not, I’m going to make sure to plan better so I can stay for the entire weekend.
Back in the early 90’s, yes back even before most had even heard of the Internet and the geeks spent most of their time on BBS’s there were a few online services trying to get going. AOL, Prodigy and CompuServe were fairly well known, but there was one other that stole my heart. It was the ImagiNation Network and primarily MedievaLand and its first game The Shadow of Yserbius.
Way back before World of Warcraft, Never Winter Nights, Ultima Online there was The Shadow of Yserbius which really set the bar for online gaming.
The whole network was unbelievable in its scope. You could play the D&D style Yserbius, card games at the club house, gamble at CasinoLand, have simulated dog fights in the Red Baron game, play the popular Boogers game, and ever get help with your home work.
To this day I have not seen anything to match the fun and variety that I had the privilege to experience back in the days when I was spending thousands of dollars and endless hours experiencing life “online”.
I have cherished my memories of those days and have copies of all the old software and hacks which I have kept faithfully for the last 15 years. I have joined a couple efforts to re-create the world, but all have failed… until now. A guy that goes by the name of byoung was able to re-create the server so that the old client software is able to work in DosBox which redirects the modem calls over TCP/IP. His website has all the software and directions to get setup very easily. It took me all of 10 mins to get everything installed and working. **To make it even easier to get started use the installer I created**
I spent about 4 hours online yesterday playing The Shadow of Yserbius with a few other people and building up my character. Oh man have I forgotten a ton, but the memories flooding back are a total blast. Even if you never played back in the day, I encourage you to get setup with it and join the growing community of users. If you let me know you will be in, I will be glad to join you for any game you like. Im having fun re-discovering all the cool stuff in this world of ImagiNation.
Its crazy… I really just dont get this crazyness over an insanely priced cell phone. Now keep in mind, I live with my video iPod, it goes everwhere with me and most of the TV and movies I see these days are on the thing. I also look forward to the day that I can have a single device so that I dont have to carry the iPod and cell phone.
However, the iPhone just isnt it for me. Its cool, and its heading toward the dream of having a single device, but for $600 and having to switch to a crappy cell phone carrier, NO THANKS. Aside from the price and cell phone carrier monopoly, I really just cant stand touch pad phone buttons. I need to be able to dial without looking, and can only do that with actual buttons. Touch screens wear out, and become a pain to push the button you want. Im sure you are all experienced in using the touch screens at the market when you pay by debit card, and the hassles when they start wearing out. Do we really want that on our cell phone, where we have a $600 price tag to replace the thing. No me.
For those trying to follow the latest news of our web app sec community, someone has finally setup a feed planet called Planet Websecurity that I’m really impressed with. No, at this time MightySeek is not yet part of the RSS mashup, but I do hope to be at some point.
For those not familiar with Planet sites, they are basically RSS readers which download other RSS feeds and merge together into a single feed. This means you can subscribe to one and get all the postings from all the feeds in the Planet.
Mighty Seek Podcast, MightySeek Podcast, Mighty Seek Blog, MightySeek Blog, Web application security podcast, Web application security blog, Web application development blog, Web application development podcast
Mighty Seek Podcast, MightySeek Podcast, Mighty Seek Blog, MightySeek Blog, Web application security podcast, Web application security blog, Web application development blog, Web application development podcast
