Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

  1. Home
  2. Networking
  3. Rolling-review-n-stalker-seeks-doesnt-find
  4. Page
  5. Rolling Review: N-Stalker Seeks, Doesn't Find: Page 5 of 6
Networking

Rolling Review: N-Stalker Seeks, Doesn't Find: Page 5 of 6

In the third installment of this Rolling Review, we found that not all scanners are created equal.
August 31, 2007

>THE PREMISE: NWC's Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings. Our extended testing span lets us accommodate today's accelerated revisions cycle and focus our attention on individual products, while maintaining a consistent test bed. This installment focuses on Web application scanners. You'll find our impressions of SPI Dynamics' WebInspect in our May 28 issue, and Cenzic's AR in the June 11 issue.

>NEXT UP:IBM's (formerly Watchfire) AppScan

>PAST REVIEWS: Spi-Dynamics WebInspect, Cenzic Hailstorm

>OTHER VENDORS INVITED:Acunetix, Syhunt Technology, WhiteHat Security. Contact the author at [email protected] for consideration.

>THE TEST BED:
We chose three applications from volunteer organizations to test our Web app scanners. All are relatively simple Web apps in use for real-world functions, and were built using a variety of development tools and platforms.
Our first application was written in C# using Microsoft's ASP.net with Ajax (also known as ATLAS) and deployed on IIS 6.0. The second was developed using the LAMP stack (the combination of Linux, Apache, MySQL and PHP), and the third was written in Java and deployed with JBoss and Tomcat on Linux.
None of the applications has received a security audit, either at the source-code level or using external scanners. Throughout the process, all scanning applications will be leveled at the same applications--any changes to fix security vulnerabilities found in production systems will be left off test instances that are used for future scanning, to ensure that each product and service has the same potential vulnerabilities to find.
Note that no vulnerabilities were intentionally added or seeded into an application. The applications will be scanned exactly as they existed in the wild at the start of the review.
Each Web application scanning product will be evaluated for advanced features and flexibility for specialized security testing; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false positives, as well as ease in manual adjustments or product updates to address them; prevalence of false negatives; and price. Each SAAS offering will be evaluated on the same criteria, except for the first two items.
At the end of our tests we'll show you how well each product and methodology did in identifying vulnerabilities in our sample apps.

Tags:

News
Networking