ethicalhack3r

RandomStorm have acquired Damn Vulnerable Web App (DVWA) :)

RandomStorm showed their interest in DVWA and wanted to help the project grow. After some weeks of talks we have settled on an agreement which I believe will benefit the DVWA project immensely.

What do RandomStorm do?

RandomStorm was formed in 2007 to provide a proactive vulnerability management service for companies and organisations that take network security seriously and need to demonstrate maximum due diligence in protecting personal and corporate information.

Without going into too much detail RandomStorm will help develop DVWA further, help with marketing, help with direction and overall make the project as good as it can be. DVWA will now be part of the RandomStorm Open Source Project and will be hosted with them in the near future. I will still play a strong role in the development and general overseeing of the project. The acquirement of DVWA has nothing but positives, the project will still be as great and even greater than it is, I still get to work on my baby, DVWA will still be open source and the project has the backing of a great company, RandomStorm.

Andrew Mason, Chief Technologist at RandomStorm says:

I see that combining efforts on this will really add value to this great tool and take it to the next step.

RandomStorm will be releasing an official press release in the near future. I would really like to hear everyones feedback so please comment.

In the meantime you can follow RandomStorm on Twitter: @RandomStorm

I started a poll last week on the 1st of December tittled ‘Open Source Web Application Vulnerability Scanners’. The aim of this poll was to gain feedback from as many people in the security community as possible to find out which was their preferred open source web application vulnerability scanner, what they preferred about it and what they would improve about their favorite scanner. The poll has run for almost 7 days. The poll link was posted on Twitter (via my Twitter account), on this blog and on www.ethicalhacker.net.

The total number of submissions was 32 however there were some anomalies in the data mainly due to my own fault. I had originally included Burp Suite, I had confused their free version with it being open source, it turns out this is not the case. I also had submissions from application developers, I did not state that I wouldn’t be counting their votes however I believe it fairer if we didn’t. After taking out the votes for Burp Suite (3 before removing the option), the submissions from application developers (2) and submissions for other commercial scanners (2), it left us with a total of 25 submissions.

The results:

w3af: 11
Metasploit Framework: 8
Nikto: 4
Wikto: 1
WebSecurify: 1

Stability: 4
Less false positives: 3
More features: 2
Scan time: 1
Output: 1

More features: 2
Scan time: 2
Stability: 1
Output: 1
Configuration: 1
Make ’scenario’: 1

As you can see from the results w3af is the clear favorite open source web application vulnerability scanner of the people who made submissions with the Metasploit Framework coming a close second. Judging from some of the additional comments, I believe that some people were voting for the Metasploit Framework itself rather than the web application modules it includes. The two biggest improvements the community want in w3af is stability and less false positives.

Open Source Web Application Vulnerability Scanner links:
w3af – http://w3af.sourceforge.net/
Metasploit – http://www.metasploit.com/
Nikto – http://cirt.net/nikto2
Wikto – http://www.sensepost.com/research/wikto/
WebSecurify – http://www.websecurify.com/

Big thanks to everyone who took the time to take the poll.

I am trying to find out from the community which open source web application scanners they use and why. Please take the poll, once, and answer honestly. Thank you! ;)

http://spreadsheets.google.com/viewform?formkey=dFNpQmNfUWx4UEFicW0wQXlZTFQyV0E6MA