Web application security scanners are a complex class of tools that are a challenge to evaluate, and up until now no formal evaluation criteria existed for these tools. The Web Application Security Consortium's "Web Application Security Scanner Evaluation Criteria (WASSEC)" project fills this gap by providing a set of detailed evaluation criteria and a framework for conducting a formal scanner evaluation. The goals of the WASSEC project are to 1) Provide scanner users with the tools they need for conducting a detailed evaluation and making an informed decision about which web application scanner(s) to choose; 2) Provide scanner developers with a list of capabilities to compare their tools against to help them create a roadmap of future enhancements. This presentation will cover an overview of the WASSEC project and show how to use the WASSEC documents to conduct a formal scanner evaluation. Note: We won't be promoting or bashing any particular web application scanner(s) during this presentation. The WASSEC project is about giving users the tools they need to conduct a solid evaluation and make their own informed decision on which scanner(s) best meet their needs.
Brian Shura is the Director of Penetration Testing at AppSec Consulting and is also the Project Leader for the Web Application Security Consortium's "Web Application Security Scanner Evaluation Criteria" project. He frequently conducts hands-on web application security assessments, using a combination of manual and automated techniques, and has created world-class security training for developers and QA analysts. Prior to his role in application security, Brian spent five years working as a developer on large Internet-facing websites.