Tuesday, September 15, 2015

WAVSEP Updates, FAQ and the 2015 Benchmark Roadmap


A couple of updates on the WAVSEP 2015 benchmark:

The 2015 benchmark is already ongoing, and I started testing scanners against a newer unpublished version of WAVSEP which will be published at the end of the benchmark.

I'll be focusing on the usual commercial and actively maintained open source contenders, but may include additional vulnerability scanner engines that match my criteria or join the comparison in one of the methods listed in SecToolMarket.

WAVSEP New Homepage

As of August 2015, WAVSEP has been official migrated to github, and the various installation instructions have been migrated to the relevant github wavsep wiki (installation / features).

The source code, builds and wiki will be maintained in github, but I'll be releasing builds to wavsep sourceforge repository as well.

Just to clarify - both repositories currently contain the latest public version of WAVSEP.

About the Upcoming Benchmark

The benchmark will cover all the previously covered aspects, as well as 2-3 additional attack vectors, and 2-3 new measurement concepts. Its the biggest one so far, but hopefully, I'll find smarter methods of assessing the products to speed up the process.

As mentioned before, to make the results useful earlier, I'll be publishing some of the results during the testing to SecToolMarket, and tweet when there's updates to the various engines, instead of waiting to the end of the benchmark.

Vulnerability Scanner Feature Mapping to RvR

The plan is to eventually associate the various features assessed in WAVSEP with a new project called RvR (relative vulnerability rating), currently hosted in the following address, aimed to define identical classifications of features for comparing security products.

The RvR list still includes 288 (!) attack vectors with videos, links, etc, but there's already 60+ additional attacks pending to be added, contributed by volunteers from around the globe.

Trying to Release an Initial WAFEP Benchmark

WAFEP (Web Application Firewall Evaluation Project), WAVSEP's evil WAF testing brother, is almost ready for initial release, with thousands of proven WAF bypass payloads ready.
However, I'm trying to release an initial benchmark with the framework, covering 2-5 WAF engines to make my point.

Its tricky to stuff these projects in the same timeframe, and WAVSEP is my current priority, but we'll see how it works - WAFEP is designed to take a lot less testing time.

In any event, I'll tweet about additional updates and whenever I update the results.

Cheers



11 comments:

  1. This is too good,. i really like this share,
    "benchmarking"

    ReplyDelete
  2. Great post!

    It is very informative and helpful article. We can also use sql injection attack code for security purpose

    ReplyDelete
  3. Nice post. I learn something more challenging on different blogs everyday. It will always be stimulating to read content from other writers and practice a little something from their store. I’d prefer to use some with the content on my blog whether you don’t mind. I’ll give you a link on your web blog. I recently came to know about http://machinesuae.com/, their Security Products are very effective.
    Security Products Thanks for sharing.

    ReplyDelete
  4. Nice post. I was checking constantly this blog and I am impressed! Extremely helpful information specially the last part I care for such info a lot. I was seeking this particular information for a very long time. Thank you and good luck.
    Liquid Level Sensor

    ReplyDelete
  5. Great post with great information. One of the very best. I will back agin in future for something new.
    Plastic Gauge Isolator

    ReplyDelete
  6. Security has now turned into an obligatory term in every one of the fields, it has turned out to be profoundly fundamental for the components in life like the schools, healing centers, clubs, houses, associations, instructive organizations, government structures and storage facilities to be outfitted with appropriate security and assurance, and consequently it is essential to contract the Security administrations London to get the best administrations and return for the cash spent on it.rogue antispyware removal

    ReplyDelete
  7. A large portion of the security monitors bring up the employment with the energy to spare individuals' lives at the stake of their own. A thorough preparing and self-restraint went with the solid dedication towards their work are the ethics of good security staff.https://how-to-remove.org/malware/ransomware-removal/

    ReplyDelete
  8. Easy readable post with many important information. I must back again for something new. Keep up posting and share with us. Thanks for your great staff....
    Safety Spray Shields

    ReplyDelete
  9. This is my first time i visit here. I found so many entertaining stuff in your blog. Keep up the good work.
    Plastic Flow Meter

    ReplyDelete
  10. I was checking constantly this blog and I am impressed! Extremely helpful information specially the last part I care for such info a lot. I was seeking this particular information for a very long time. Thank you and good luck.
    owasp code review guide

    ReplyDelete