[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: Re: [Owasp-dotnet] [Fwd: SPI Dynamics Wins Secure Enterprise Testers
From: Dinis Cruz <dinis () ddplus ! net>
Date: 2005-09-13 7:00:19
Message-ID: 43267903.7060106 () ddplus ! net
[Download RAW message or body]
Once again, more references to Spy Dynamics use of the Owasp Top 10!
I think it is time for us to ask Spy Dynamic how they use the Owasp Top
10 in their product, what claims are they making and how exactly they
are testing this.
Is anybody out there with some spare cycles that could write this
'official' letter from Owasp to Spy Dynamics?
I am also quite interested in knowing more information about the actual
results (since this article almost doesn't talk about it, it mainly
talks about the functionality of these tools, not its effectiveness in
detecting vulnerabilities)
Dinis Cruz
Owasp .Net Project Leader
Daniel Cuthbert wrote:
> Loads
>
> The reason it works is that it has loads of shiny buttons and the
> marketing department claims it to be the best
> They only let you test it on their vulnerable web site, but anyone
> with a small sense can guess its been designed to "find" all those holes
>
> Easy tip for anyone wanting to totally stuff the automated scanners:
> Make Apache/IIS return 200 OK's for EVERY request. This will make it
> light up like a christmas tree for vulnerabilities found
>
>
> On 12 Sep 2005, at 21:44, Dinis Cruz wrote:
>
>> Any comments?
>>
>> *From: *SPI Dynamics <news@spidynamics.com <mailto:news@spidynamics.com>>
>> *Date: *12 September 2005 20:30:48 BDT
>> *To: *dinis@ddplus.net <mailto:dinis@ddplus.net>
>> *Subject: **SPI Dynamics Wins Secure Enterprise Testers Choice*
>> *Reply-To: *news@spidynamics.com <mailto:news@spidynamics.com>
>>
>>
>>
>> SPI Dynamics and Microsoft
>> Webcast: The Hacker Evolution: New Trends in Application
>> Vulnerabilities and Exploits
>>
>> *
>> <http://sdm3.rm04.net/ctt?kn=3&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1>*
>>
>> **
>>
>> Secure Enterprise Magazine chose SPI Dynamics WebInspect 5.5 as the
>> Testers Choice product in a recent Web Application vulnerability
>> scanner product review. Read the entire Secure Enterprise review at:
>> http://www.spidynamics.com/assets/documents/SecureEnterprise_WI5.5_review.pdf
>> <http://sdm3.rm04.net/ctt?kn=6&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1>
>>
>>
>> *
>> <http://sdm3.rm04.net/ctt?kn=5&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1>**
>> To test your Web Application, download our complimentary 15-day
>> product trial that delivers a comprehensive vulnerability report.
>> *
>>
>>
>> WebInspect Enterprise Edition 5.5. delivers a complete enterprise
>> solution for addressing security throughout the application lifecycle.
>> Learn More>>>
>> <http://sdm3.rm04.net/ctt?kn=2&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1>
>>
>> *SPI Dynamics, Inc.
>> *115 Perimeter Center Pl. NE.
>> Suite 1100
>> Atlanta GA 30346
>> 678.781.4800
>> sales@spidynamics.com <mailto:sales@spidynamics.com>
>> Toll-Free: 1.866.SPI.2700 (1.866.774.2700) www.spidynamics.com
>> <http://www.spidynamics.com/>
>>
>>
>>
>> Please Remove Me From This Mailing
>> <http://sdm3.rm04.net/ui/modules/display/optOut.jsp?&m=396643&r=MTYwNjMwNzA1NAS2&j=Nzc2MzQxMwS2&mt=1>
>>
>>
>>
>>
>
[Attachment #3 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Once again, more references to Spy Dynamics use of the Owasp Top 10!<br>
<br>
I think it is time for us to ask Spy Dynamic how they use the Owasp Top
10 in their product, what claims are they making and how exactly they
are testing this.<br>
<br>
Is anybody out there with some spare cycles that could write this
'official' letter from Owasp to Spy Dynamics?<br>
<br>
I am also quite interested in knowing more information about the actual
results (since this article almost doesn't talk about it, it mainly
talks about the functionality of these tools, not its effectiveness in
detecting vulnerabilities)<br>
<br>
Dinis Cruz<br>
Owasp .Net Project Leader<br>
<br>
Daniel Cuthbert wrote:
<blockquote cite="midE2B3D87B-810A-440C-A3CC-7DC31F49C217@owasp.org"
type="cite">Loads
<div><br class="khtml-block-placeholder">
</div>
<div>The reason it works is that it has loads of shiny buttons and
the marketing department claims it to be the best</div>
<div>They only let you test it on their vulnerable web site, but
anyone with a small sense can guess its been designed to "find" all
those holes</div>
<div><br class="khtml-block-placeholder">
</div>
<div>Easy tip for anyone wanting to totally stuff the automated
scanners:</div>
<div>Make Apache/IIS return 200 OK's for EVERY request. This will
make it light up like a christmas tree for vulnerabilities found</div>
<div><br class="khtml-block-placeholder">
</div>
<div><br>
<div>
<div>On 12 Sep 2005, at 21:44, Dinis Cruz wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="margin: 0px;">Any comments?</div>
<div
style="margin: 0px 0px 0px 41px; text-indent: -41px; font-family: Helvetica; \
font-style: normal; font-variant: normal; font-weight: normal; font-size: 12px; \
line-height: normal; font-size-adjust: none; font-stretch: ; color: rgb(0, 0, 0); \
min-height: 14px;"><br> </div>
<div style="margin: 0px 0px 0px 41px; text-indent: -41px;"><font
style="font-family: Helvetica; font-style: normal; font-variant: normal; \
font-weight: normal; font-size: 12px; line-height: normal; font-size-adjust: none; \
font-stretch: ; color: rgb(0, 0, 0);" color="#000000" face="Helvetica" \
size="3"><b>From: </b></font><font style="font-family: Helvetica; font-style: \
normal; font-variant: normal; font-weight: normal; font-size: 12px; line-height: \
normal; font-size-adjust: none; font-stretch: ;" face="Helvetica" size="3">SPI \
Dynamics <<a href="mailto:news@spidynamics.com">news@spidynamics.com</a>></font></div>
<div style="margin: 0px 0px 0px 40px; text-indent: -40px;"><font
style="font-family: Helvetica; font-style: normal; font-variant: normal; \
font-weight: normal; font-size: 12px; line-height: normal; font-size-adjust: none; \
font-stretch: ; color: rgb(0, 0, 0);" color="#000000" face="Helvetica" \
size="3"><b>Date: </b></font><font style="font-family: Helvetica; font-style: \
normal; font-variant: normal; font-weight: normal; font-size: 12px; line-height: \
normal; font-size-adjust: none; font-stretch: ;" face="Helvetica" size="3">12 \
September 2005 20:30:48 BDT</font></div> <div style="margin: 0px 0px 0px 25px; \
text-indent: -25px;"><font style="font-family: Helvetica; font-style: normal; \
font-variant: normal; font-weight: normal; font-size: 12px; line-height: normal; \
font-size-adjust: none; font-stretch: ; color: rgb(0, 0, 0);" color="#000000" \
face="Helvetica" size="3"><b>To: </b></font><font style="font-family: Helvetica; \
font-style: normal; font-variant: normal; font-weight: normal; font-size: 12px; \
line-height: normal; font-size-adjust: none; font-stretch: ;" face="Helvetica" \
size="3"><a href="mailto:dinis@ddplus.net">dinis@ddplus.net</a></font></div> <div \
style="margin: 0px 0px 0px 55px; text-indent: -55px;"><font style="font-family: \
Helvetica; font-style: normal; font-variant: normal; font-weight: normal; font-size: \
12px; line-height: normal; font-size-adjust: none; font-stretch: ; color: rgb(0, 0, \
0);" color="#000000" face="Helvetica" size="3"><b>Subject: </b></font><font
style="font-family: Helvetica; font-style: normal; font-variant: normal; \
font-weight: normal; font-size: 12px; line-height: normal; font-size-adjust: none; \
font-stretch: ;" face="Helvetica" size="3"><b>SPI Dynamics Wins Secure Enterprise
Testers Choice</b></font></div>
<div style="margin: 0px 0px 0px 64px; text-indent: -64px;"><font
style="font-family: Helvetica; font-style: normal; font-variant: normal; \
font-weight: normal; font-size: 12px; line-height: normal; font-size-adjust: none; \
font-stretch: ; color: rgb(0, 0, 0);" color="#000000" face="Helvetica" \
size="3"><b>Reply-To: </b></font><font style="font-family: Helvetica; font-style: \
normal; font-variant: normal; font-weight: normal; font-size: 12px; line-height: \
normal; font-size-adjust: none; font-stretch: ;" face="Helvetica" size="3"><a \
href="mailto:news@spidynamics.com">news@spidynamics.com</a></font></div> <div \
style="margin: 0px; min-height: 14px;"><br> </div>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<br>
<p align="left"><img moz-do-not-send="true"
src="http://open3.rm04.net/open/log/396643/MTYwNjMwNzA1NAS2/0/Nzc2MzQxMwS2/1">
<table align="center" border="0" cellpadding="0" cellspacing="0"
width="650">
<tbody>
<tr>
<td><img moz-do-not-send="true"
alt="SPI Dynamics and Microsoft"
src="http://content3.rm04.net/ra/2005/09/12/396643/CONT_17.gif"
border="0" height="54" width="650"></td>
</tr>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" width="650">
<tbody>
<tr>
<td valign="top"><img moz-do-not-send="true"
alt="Webcast: The Hacker Evolution: New Trends in Application Vulnerabilities and \
Exploits" src="http://content3.rm04.net/ra/2005/09/12/396643/CONT_18.gif"
border="0" height="120" width="389"></td>
<td valign="top"><img moz-do-not-send="true" alt=""
src="http://content3.rm04.net/ra/2005/09/12/396643/CONT_19.jpg"
border="0" height="120" width="261"></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td
style="border-top: 1px solid rgb(255, 255, 255); background-color: rgb(115, 148, \
172);"> <table border="0" cellpadding="0" cellspacing="16"
width="100%">
<tbody>
<tr>
<td
style="font-size: 15px; color: rgb(255, 255, 255); line-height: 25px; font-family: \
Verdana,Arial,Helvetica,sans-serif;" width="50%">
<p align="center"><strong><a
href="http://sdm3.rm04.net/ctt?kn=3&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1"
name="httpwww.spidynamics.comassetsdocumentsSecureEnterprise_WI5.5_review.pdf(3)"><img
moz-do-not-send="true"
src="http://content3.rm04.net/ra/2005/09/12/396643/CONT_20.gif"
border="0" height="133" hspace="3" width="200"></a></strong></p>
</td>
<td
style="border-left: 1px solid rgb(255, 255, 255); padding-left: 16px; font-size: \
12px; color: rgb(255, 255, 255); line-height: 14px; font-family: \
Verdana,Arial,Helvetica,sans-serif;" width="50%"><strong><img moz-do-not-send="true"
src="http://content3.rm04.net/ra/2005/09/12/396643/CONT_21.gif"
height="100" width="250"></strong> </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top">
<p
style="padding: 25px 16px; font-size: 12px; color: rgb(106, 105, 105); line-height: \
14px; font-family: Verdana,Arial,Helvetica,sans-serif;"><font face="Arial" \
size="3">Secure Enterprise Magazine chose SPI Dynamics WebInspect 5.5 as the Testers \
Choice product in a recent Web Application vulnerability scanner product review. Read \
the entire Secure Enterprise review</font><font face="Arial" size="3"> at: \
</font><a style="color: rgb(115, 148, 172);"
href="http://sdm3.rm04.net/ctt?kn=6&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1"
name="httpwww.spidynamics.comassetsdocumentsSecureEnterprise_WI5.5_review.pdf(4)"><font
face="Arial" size="3">http://www.spidynamics.com/assets/documents/SecureEnterprise_WI5.5_review.pdf</font></a><font
size="3"> <br>
</font><br>
<strong><a
href="http://sdm3.rm04.net/ctt?kn=5&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1"
name="link"><img moz-do-not-send="true"
src="http://content3.rm04.net/ra/2005/09/12/396643/CONT_22.gif"
align="left" height="75" width="250"></a></strong><strong><br>
<font size="3"><font face="Arial"><span
style="font-size: 10pt; font-family: Verdana;">To test your Web
Application, download our complimentary 15-day product trial that
delivers a comprehensive vulnerability report</span><span class="style1"><span
style="font-family: Verdana;">.</span></span></font><br>
</font></strong><br>
<br>
<br>
<font face="Arial" size="3">WebInspect Enterprise Edition
5.5. delivers a complete enterprise solution for addressing security
throughout the application lifecycle.</font><span class="style2"><a
style="color: rgb(115, 148, 172);"
href="http://sdm3.rm04.net/ctt?kn=2&m=396643&r=MTYwNjMwNzA1NAS2&b=0&j=Nzc2MzQxMwS2&mt=1"
target="_blank"
name="httpwww.spidynamics.comproductswebinspectdatasheet.html"><br>
<font face="Arial" size="3">Learn More>>></font></a></span><br>
<br>
</p>
</td>
</tr>
<tr>
<td style="background-color: rgb(153, 153, 153);">
<table border="0" cellpadding="16" cellspacing="0"
width="100%">
<tbody>
<tr>
<td
style="font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; font-family: \
Verdana,Arial,Helvetica,sans-serif;" valign="top" width="50%">
<p><strong>SPI Dynamics, Inc.<br>
</strong>115 Perimeter Center Pl. NE.<br>
Suite 1100<br>
Atlanta GA 30346<br>
678.781.4800<br>
<a
style="font-size: 12px; color: rgb(255, 255, 255); text-decoration: none;"
href="mailto:sales@spidynamics.com"
name="mailtosales@spidynamics.com(2)" xt="SPLINK">sales@spidynamics.com</a>
<br>
Toll-Free: 1.866.SPI.2700 (1.866.774.2700) <a
href="http://www.spidynamics.com/">www.spidynamics.com</a><br>
</p>
</td>
<td
style="font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; font-family: \
Verdana,Arial,Helvetica,sans-serif;" valign="top" width="50%"> </td>
</tr>
</tbody>
</table>
<font face="Arial"><a
href="http://sdm3.rm04.net/ui/modules/display/optOut.jsp?&m=396643&r=MTYwNjMwNzA1NAS2&j=Nzc2MzQxMwS2&mt=1"
name="oppurtg">Please Remove Me From This Mailing</a></font></td>
</tr>
</tbody>
</table>
<br>
</p>
<br class="Apple-interchange-newline">
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic