Security UPDATE--Web Security Scanning: David vs. Goliath--November 7, 2007


Messaging Management

Using SharePoint 2007 as a Platform for Managing Information Across the Enterprise

The Essential Guide to E-Discovery & Recovery for Microsoft Exchange



IN FOCUS: Web Security Scanning: David vs. Goliath


- Cisco Adds Policy Management with Securent Acquisition

- Majority of Marketers Don't Consult Execs Regarding Private Data

- McAfee Latest Acquisition: ScanAlert

- Recent Security Vulnerabilities


- Security Matters Blog: Laptops Phone Home

- FAQ: Local Continuous Replication on Exchange Server 2007

- Share Your Security Tips


- Security Information Management Solution Adds Compliance Features

- Product Evaluations from the Real World




=== SPONSOR: Symantec


Messaging Management

Guarding against the growing threats to the corporate email and IM environment has become an ever-consuming task of the IT professional. Now is the turning point for IT security professionals to look at their mainstays in their defense strategy and make sure they are pulling their weight. In scrutinizing your messaging management solutions, this valuable guide shows that securing a mail and messaging infrastructure should not be an afterthought. A secure mail and messaging infrastructure is fundamental to your business and any organization should plan for the appropriate message hygiene, availability, and control services from the start.

Download this free resource before evaluating message management solutions.

=== IN FOCUS: Web Security Scanning: David vs. Goliath

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

It's glaringly obvious that Web technology is getting more popular by the minute. I think it's safe to assume that the majority of companies with one or more network-enabled products are looking at how they can leverage the Web to increase the revenues generated from those products--if they haven't already jumped into the Web services market.

Add to that lot the huge number of e-commerce sites, toss in all the new so-called Web 2.0 sites that are popping up, and we find ourselves at a new level of frenzy in technological evolution. Naturally, one issue on nearly everyone's mind is Web security.

In the News and Features section of this newsletter, you'll find a story about McAfee acquiring ScanAlert, a company that provides Web security scanning services to e-commerce sites. Those who pass muster get to display ScanAlert's logo, which helps builds consumer confidence. McAfee will pay around $51 million in cash for ScanAlert, if that gives you any idea how important the Web application security market has become.

Recently, I was made aware of an interesting comparative review conducted by Larry Suto, an application security consultant. Suto examined three commercially available Web application scanners: NT OBJECTives' NTOSpider (at the first URL below), Watchfire's AppScan (at the second URL), and SPI Dynamic's WebInspect (at the third URL). As you might know, NT OBJECTives is an independent company--"David" when compared to "Goliaths" Watchfire, which is owned by IBM, and SPI Dynamics, which is owned by HP.

The review results stirred quite a bit of debate. According to Suto's test results, NTOSpider outperformed the two other tools by a country mile. NTOSpider crawled more links, found more vulnerabilities, and returned zero false positives in terms of vulnerability detection. In short, David beat Goliath quite convincingly.

Suto tested the scanners against three applications: a closed-source application, an open-source blogging platform, and an open-source customer management platform. He also used Fortify Software's Fortify Tracer (at the URL below) to determine how effective the scanners were in exercising the tested applications. Suto said that during his tests, "Each scanner was run in default mode and not tuned in any capacity to the application. The importance of this lies in how effective the default mode \[is\] so that scalability of scanning is not limited by manual intervention and setup procedures which can be very time consuming."

That aspect of the tests is what stirred so much debate. Some people argued that fine-tuning each scanner before conducting tests would yield better results. Others agreed with Suto's methodology. Still others had a lot of "sacred cows" that skewed their perspective.

Regardless of the various opinions, the test results are useful. In addition to the real surprise--that NTOSpider beat both AppScan and WebInspect--the tests reveal once again (as other independent tests have shown) that AppScan is most likely better than WebInspect.

More good news for NTOSpider is that Veracode, which offers a Web security rating service (at the URL below), recently chose it as the company's tool of preference after closely examining many competing tools. Veracode was cofounded by Chris Wysopal, formerly at L0pht and @stake, aka "Weld Pond."

You can get a copy of Suto's entire report (in PDF format) over at Be sure to read the comments at the site too (at the first URL below). You can also read a bit more at Jeremiah Grossman's blog, at the second URL below.

=== SPONSOR: CorasWorks


Using SharePoint 2007 as a Platform for Managing Information Across the Enterprise

Learn the basics of the content management process and understand how workflow and information management policies are implemented in Office SharePoint Server 2007 solutions. After listening to this podcast, you will know how to develop a tactical approach to your own automated processing solutions with ease of implementation and use as key components of that solution.



Cisco Adds Policy Management with Securent Acquisition

Cisco is set to acquire Securent, a policy management solution provider, for $100 million in cash. Securent solutions help ease policy enforcement through the use of a centralized policy management system and work with commonly used platforms such as Microsoft SharePoint, BEA WebLogic Portal, IBM WebSphere Portal, JBoss Portal, and Documentum.

Majority of Marketers Don't Consult Execs Regarding Private Data

A study sponsored by Microsoft revealed that a whopping 70 percent of marketing personnel do not consult their company's security and privacy executives before collecting or using personal information.

McAfee's Latest Acquisition: ScanAlert

McAfee is about to enter the Web site security scanning market. The company announced plans to acquire ScanAlert, a company that certifies sites as safe if they can pass baseline vulnerability audits.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Lucid8


The Essential Guide to E-Discovery & Recovery for Microsoft Exchange

With more than 75 percent of business-critical information residing in e-mail today, you are more likely to find evidence sitting in someone's inbox than in their filing cabinet or on a file share. The growing importance of e-mail has not been lost on the lawyers, courts, or government regulators. In fact, e-mail is being placed at the center of legal discovery requests and is increasingly used in a variety of legal and regulatory proceedings, from e-discovery for civil lawsuits to providing the grounds for prosecuting criminal cases.




by Mark Joseph Edwards,

I read a very interesting story about how a laptop thief operated and how he got caught, thanks to a tracking device in a computer. The guy was a smooth operator, but not smooth enough. Learn more about this story, plus get some tips about buying laptops on eBay.

FAQ: Local Continuous Replication on Exchange Server 2007

by John Savill,

Q: How do I enable Local Continuous Replication (LCR) on Exchange Server 2007?

Find the answer at


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Security Information Management Solution Adds Compliance Features

eIQNetworks announced the availability of SecureVue 3.0, which adds governance, risk management, and compliance (GRC) features; network anomaly detection; and 3-D illustration to the product's existing security information management (SIM) capabilities. SecureVue integrates GRC functionality with SIM to support a company's adherence to regulations, best practices, and internal policies. In addition to providing tools to help define and monitor controls and policies, the GRC module provides reports for auditing purposes. The SIM module's new anomaly detection looks for incongruities based on resource utilization, application usage, and behavioral patterns. The 3-D capability shows log data, security incidents, access control list effectiveness, profiler data, and traffic patterns. SecureVue 3.0 is available on Windows and Linux, starting at $47,995. For more information, go to


Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to [email protected]



For more security-related resources, visit

Comparing Email Management Systems that Protect Against Spam, Viruses, Malware, & Phishing

As a systems administrator, you're tasked with determining which email security tool is the best fit for your company. Sunbelt Software engaged Osterman Research to survey enterprises that use one of the five leading email management systems that protect against spam, viruses, malware, and phishing attacks. This white paper presents the results of this survey and is a must-read for any administrator researching email security tools for Microsoft Exchange.

Protecting Mobile Users' Data

In this Web seminar, David Chernicoff discusses the protection and backup of data for mobile and casually connected users and provides ideas, suggestions, and solutions to associated problems.

Learn the Fundamentals of Messaging Management Systems

Now is the time for IT security professionals to look at the mainstays of their defense strategy and make sure they pull their weight. A secure mail and messaging infrastructure is fundamental to your business, and every organization needs to plan for appropriate message hygiene, availability, and control services from the start. Download this free resource before evaluating message management solutions.



Compliance Mythbusters: The Truth About Common Myths and Misconceptions of Email Archiving

Learn from other people's mistakes, not your own! This Web seminar reveals the common mistakes and misconceptions about message archiving, regulations, and e-discovery. You'll learn how these misconceptions came about, how to avoid common mistakes, and what to do to meet today's email archiving and e-discovery needs.



Discover the New SQL Server Magazine

Don't miss the relaunched SQL Server Magazine, coming this month! Besides a new look, we have even more coverage of administration and performance, development and Web apps, BI and Reporting Services, and SQL Server fundamentals. Subscribe now and save 58% off the cover price.

Packed with thousands of articles, bonus content, and loads of expert advice, the Windows IT Pro Master CD is like having your very own team of professional SQL Server consultants in your pocket. Get real-world solutions lightning-fast--order the Windows IT Pro Master CD today. Includes a one-year subscription to all online content at!


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected]

to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.