Tuesday, September 15, 2015
A couple of updates on the WAVSEP 2015 benchmark:
The 2015 benchmark is already ongoing, and I started testing scanners against a newer unpublished version of WAVSEP which will be published at the end of the benchmark.
I'll be focusing on the usual commercial and actively maintained open source contenders, but may include additional vulnerability scanner engines that match my criteria or join the comparison in one of the methods listed in SecToolMarket.
WAVSEP New Homepage
As of August 2015, WAVSEP has been official migrated to github, and the various installation instructions have been migrated to the relevant github wavsep wiki (installation / features).
The source code, builds and wiki will be maintained in github, but I'll be releasing builds to wavsep sourceforge repository as well.
Just to clarify - both repositories currently contain the latest public version of WAVSEP.
About the Upcoming Benchmark
The benchmark will cover all the previously covered aspects, as well as 2-3 additional attack vectors, and 2-3 new measurement concepts. Its the biggest one so far, but hopefully, I'll find smarter methods of assessing the products to speed up the process.
As mentioned before, to make the results useful earlier, I'll be publishing some of the results during the testing to SecToolMarket, and tweet when there's updates to the various engines, instead of waiting to the end of the benchmark.
Vulnerability Scanner Feature Mapping to RvR
The plan is to eventually associate the various features assessed in WAVSEP with a new project called RvR (relative vulnerability rating), currently hosted in the following address, aimed to define identical classifications of features for comparing security products.
The RvR list still includes 288 (!) attack vectors with videos, links, etc, but there's already 60+ additional attacks pending to be added, contributed by volunteers from around the globe.
Trying to Release an Initial WAFEP Benchmark
WAFEP (Web Application Firewall Evaluation Project), WAVSEP's evil WAF testing brother, is almost ready for initial release, with thousands of proven WAF bypass payloads ready.
However, I'm trying to release an initial benchmark with the framework, covering 2-5 WAF engines to make my point.
Its tricky to stuff these projects in the same timeframe, and WAVSEP is my current priority, but we'll see how it works - WAFEP is designed to take a lot less testing time.
In any event, I'll tweet about additional updates and whenever I update the results.