From: M. Groen (mgroen0@xs4all.nl)
Date: Wed May 09 2007 - 02:27:34 EDT
Thanks for the clear explanation.
One other question, does anyone happen to know if there are sites on which
you can try "pen testing" products, like WebInspect, or Hailstorm? I mean
a " playground" on which it is allowed to do pen-tensting (and make
mistakes)?
Mathijs
> Zack,
>
> First of all, it depends on what you want in a pen-test tool. Second, it
> also depends on what you mean by pen-testing. In my opinion, unless there
> is an actual exploit leveraged and a payload or injection of some sort,
> you
> are talking Vulnerability Assessment and not pen-testing. It's a semantic
> difference to some but there is a procedural difference between
> identifying
> potential vulnerabilities and actively exploiting found vulnerabilities.
>
> The 3 tools you list are all web application-centric in their focus and
> are
> not what I would consider true pen-testing tools per se; they are more
> Application layer vulnerability scanners with limited exploit payloads to
> reduce false positive findings (XSS and SQL injection checks etc).
> Watchfire's AppScan, Cenzic's Hailstorm, and SPI's WebInspect are all
> great
> tools but they do not test the full gamut of OS or services. If you are
> focused solely on application layer assessment then any of these 3 should
> suit your needs. I personally prefer WebInspect due to some of the extra
> tools and functionality it provides, as well as the various customizable
> report patterns and compliancy-directed scanning but each has it's strong
> points.
>
> If you are looking for what most on the list would consider broad spectrum
> pen-testing tools you should take a look at Core Impact or Metasploit.
> There
> are other pen-testing tools available but these two are probably the most
> widely used. Core=commercial, Metasploit=OSS so if your organization needs
> support not found in a chat room or online forum Core is the way to go.
> I'm
> fond of how Impact's payload is a memory-resident compromise so there is
> no
> actual change to the target compromised system and it can use any
> exploited
> box found to search out other machines it can see which is valuable in
> moving your penetration farther into the private network.
>
> While automated tools are getting better and easier to use, nothing beats
> an
> experienced pen-testing services company. The better ones go beyond
> automated tool runs and can offer services that include social
> engineering,
> custom exploit coding, and other company-specific scope needs. Depending
> on
> your budget you may also want to look into that avenue.
>
> Hope that helps and welcome to the list.
>
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>> -----Original Message-----
>> From: listbounce@securityfocus.com
>> [mailto:listbounce@securityfocus.com] On Behalf Of
>> zackpeters75@yahoo.com
>> Sent: Monday, May 07, 2007 8:58 PM
>> To: pen-test@securityfocus.com
>> Subject: Opinions of automated testers
>>
>> Hi,
>>
>> My manager gave me our pen testing project and I'm still
>> coming up to speed so forgive me if this question is not 100%
>> list appropriate.
>>
>> >From what I can tell the top 3 automated pen testing
>> programs are from SPI Dynamics, Cenzic and Watchfire. I
>> haven't evaled any of them quite yet but they each seem to
>> have their advantages and disadvantages. Cenzic is claiming
>> to be the most accurate at least according to their 20/20
>> marketing program
>> http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm
>> wondering what people have actually seen.
>>
>> And if any of you posters from SPI, Cenzic or Watchfire want
>> to email me directly and tell me your benefits, that's fine.
>> I don't want the thread to be a sales pitch, just looking to
>> benefit from the knowledge of others.
>>
>> Thanks everyone!
>>
>> Zack
>>
>> --------------------------------------------------------------
>> ----------
>> This List Sponsored by: Cenzic
>>
>> Are you using SPI, Watchfire or WhiteHat?
>> Consider getting clear vision with Cenzic See HOW Now with
>> our 20/20 program!
>>
>> http://www.cenzic.com/c/2020
>> --------------------------------------------------------------
>> ----------
>>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT