Subscribe: Comments on Jeremiah Grossman: Where's WhiteHat? Re: Scanner Comparisons
http://jeremiahgrossman.blogspot.com/feeds/2664646313041922146/comments/default
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
anonymous  didn  don  find  jer difficult  jeremiah  market  missed  much  opportunity  people  results  saas  scanner  sentinel  tools  website 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Comments on Jeremiah Grossman: Where's WhiteHat? Re: Scanner Comparisons

Comments on Jeremiah Grossman: Where's WhiteHat? Re: Scanner Comparisons





Updated: 2018-04-12T05:16:05.215-07:00

 



Hi thanks for the info but in fact I was surprise ...

2011-01-23T04:04:42.925-08:00

Hi thanks for the info but in fact I was surprise to see that the www.gamasec.com website application scanner SaaS was not in the list of web scanner that you compare,after usingf different others online website scanner we chossed to had the www.gamasec.com scanner for our website and we were pleased with the result and the recommendation reporting.

Have a look it is an interesting SaaS web scanner



@Drazen I think there is a huge disparity in the g...

2010-02-27T08:48:58.907-08:00

@Drazen I think there is a huge disparity in the general market about what these tools are really capable of. So, if nothing else is provides another recent reference for would-be users. And yes, a lot of people have and will continue to read it.



Wondering what people were expecting to see from t...

2010-02-26T23:01:54.691-08:00

Wondering what people were expecting to see from the results? Seriously. Taken for what they are and known limitations, were there any surprise? A pointless exercise to a degree? Maybe, but at least highlighting those "limitations" to the market. But does anyone outside our industry really read this stuff anyway?

DD



@anonymous, tell ya what. Next time there is a &qu...

2010-02-22T14:06:05.846-08:00

@anonymous, tell ya what. Next time there is a "review" that includes McAfee Secure, Qualys WAS, Cenzic Click2Secure, HP AMP, etc. We'll take part. Until then, we are not a scanner and do not want to be grouped with them in the market.



I'm a bit disappointed - great opportunity to ...

2010-02-22T13:14:20.561-08:00

I'm a bit disappointed - great opportunity to prove WhiteHat's (claimed) superiority but you decide to avoid an honest comparison made by an independent analyst.

Considering all the smack talk about HackerSafe some years ago, the least you could do was to participate in this scanner review.

I'm not defending HackerSafe (McAfee deserves to die in fire), hell no, but I'm asking you to put your money where your mouth is.

Lets face it - all the eye candy reporting, compliance graphs, mitigation help and executive summaries are absolutely worthless if a product/service can't find the vulns.



@AppSec... yah pretty much. Actually I didn't ...

2010-02-12T11:59:40.312-08:00

@AppSec... yah pretty much. Actually I didn't even consider your last point. People might have claimed if we did well that our process was somehow unfair to the rest.



Jeremiah: I think SaaS in these tests are a catch ...

2010-02-12T11:56:27.142-08:00

Jeremiah:
I think SaaS in these tests are a catch 22.

But not getting into it, WhiteHat is left vulnerable to missing out on some perspective clients (I'm not saying this as a postivie or negative). When I started in this industry, the first thing I looked for was something like this (granted it didn't exist). It is possible that I would have tried to find out more information, but I don't know.

The flip side: is seeing that these were all test sites that are publically available, I would have questioned if you've already done analysis before the review was even done and spent more time then disclosed!

The later, of course, is the joys of being in the security industry :-).



I am not a fan of blackbox testing products, or se...

2010-02-09T14:18:30.020-08:00

I am not a fan of blackbox testing products, or security vendors of any kind, but I (and people I have worked with) have used Acunetix, and no-one has ever had problems figuring out how to enter credentials. Seriously, you can even find script kiddies who can manage it.

He claims that if the scanner popped up a window asking for login details, he would provide them; this seems a really odd feature to rely on, what if a scanner popped up questions related to other things, would he answer them?

Either this is a ploy to favor scanners with that (useless, I might add) feature over others (and probably making several of these types of decisions to end up favoring his prefered scanner over all the others), or he has no idea what the fuck he is doing.



Much for food thought

2010-02-09T13:36:09.946-08:00

Much for food thought



I think as Jeremiah mentioned, although such compa...

2010-02-09T11:59:51.243-08:00

I think as Jeremiah mentioned, although such comparisons can be helpful and shed some light on what to buy etc, the best solution is to test the scanner or SAAS against the site it will be testing. As we've seen each solution will behave differently on each target. Therefore in a way, it is kind of "useless" trying to blame one or the other, or who is the best.

Good post Jer



@Jer - well said. I think it's difficult to c...

2010-02-09T11:55:03.966-08:00

@Jer - well said. I think it's difficult to compare the two models (SaaS and stand alone) in the same light. They have very different value propositions. Likewise, I could see there being a whole other category, that Larry didn't cover at all which is scale. When you get to the high end of the market, a minor configuration hassle suddenly can explode into a nightmare when you have to do it over and over 1000 times. There's a big hidden cost there too, which I don't think most people realize.

Anyway, I respect your decision, and hope you can figure out a way to work your scanner into future tests.

-RSnake



@Anonymous1, first thank you for being a customer ...

2010-02-09T11:50:04.098-08:00

@Anonymous1, first thank you for being a customer -- each is valued highly. While you may be right, it may have been a missed opportunity, but here is where I'm at...

Many fall into the vulnerabilities-per-dollar trap when comparing black box scanners (or any assessment for that matter). If a scanner finds nothing or very little, perhaps because there is not much to be found, often the results are perceived to have little value. This is certainly not the case and I've blogged on the subject before.

Instead black box scans / assessments should measure the hackability of a website given an attacker with a certain amount of resources, skill, and scope. This is what we simulate (an attacker), complete an in depth assessment, continuously (unlimited), at large scales, and without our customers needing to hire additional staff. This is a how a similar solution should be valued. So I’d counter that Sentinel rates cheaper than running scans in-house if you include all technology & human resource costs required for such a program.

So in this case, even if we found more vulnerabilities, it would have demonstrated very little of Sentinel’s core value proposition. Besides, we are not a desktop scanner, we don't want to be seen as anything similar, and yet another reason why we declined.

@Anonymous2, Your feedback is well taken. Missing vulnerabilities happens to everyone no matter what technology or methodology used. It'll be a never ending fact.

In our case you’ll find our engineering team more than happy to receive reports when issues are reportably missed. Root-cause analysis will be performed and we’ll improve the technology. We regularly analyze reports from the aforementioned scanners. We know very well how good they are relative to ourselves.



I second what anonymous above just said. As someo...

2010-02-09T11:29:21.883-08:00

I second what anonymous above just said. As someone who has previously used sentinel as well as three of the tools in the report, the results were not much different and in some cases sentinel missed fairly major (and simple) vulns the tools detected.



I think you guys passed on an excellent opportunit...

2010-02-09T11:16:48.235-08:00

I think you guys passed on an excellent opportunity to put your money where your mouth is. The sentinel service you offer is very expensive and I for one have used it along with most of the tools on the list with only marginally better results, you did identify some stuff others missed but the cost of the service does not offset the results.