I just found out, I'll be taking over doing the web app scanning at work. They use WebInspect, and one thing I've heard is it takes forever to run (2 weeks + in some cases).

Not having done much web scanning, or knowing much about the product, I thought I'd turn here and get some help.

Anyone have any useful links to books / articles to get up to speed. Any tips and tricks on how to run scans.

Sadly it has to be WebInspect. We used to use something else, but one of our larger customers insisted we use WebInsepct so they could import the reports, or they'd pull the account.

You should avail yourself of the free training materials and resources already offered by HP's Application Security Center.   (Full disclosure:  I work there as part of HP ASC Fortify.)

User Forums and Researcher Blogs:  http://h30501.www3.hp.com/t5/HP-Application-Security-Center/ct-p/sc01
- Requires a free HP Passport account to Post messages.

ASC Support Portal:  http://support.openview.hp.com/
- Also uses HP Passport account.
- This portal gives you 24/7 access to the WebInspect KB, as well as the ability to submit/manage support cases.  Great for pre-populating your case with all details and data rather than trying to get first-level support to type it in for you over the phone!  Wait 20 minutes and call in with your assigned Case# to get routed directly to the person who picked up that case.
- The Support Portal requires that you link your HP Passport account with your "Entitlement" or "Contract", known as the SAID number.  Since you have WebInspect in front of you, the SAID number is displayed under the "About WebInspect" menu item.

Semi-monthly technical demo on using WebInspect (free registration):  http://techdemos.com/
- Every other Friday at 1 PM EDT.

Your HP Sales representative:
- Chances are your company's/area's HP Sales rep is keen to try to sell you or your boss new stuff, but knows very little about the security product line.  Lean on them to put you in touch with someone who can actually really help you, and then fend off their free lunches as long as possible.   ;-)


Regarding scans taking two weeks, that sounds crazy.  You seriously need to review the actual scan results and the available scan settings, with an expert if possible.  Anytime I hear of a scan taking more than overnight I just *know* there is some setting to change that can make it more efficient.  The guy before you probably ran the product with the default settings, which is only a good baseline for what might be found in the real world.  Your site may require increased script parsing, redundant page detection, custom state-keeping or navigational parameters, or other "shaping" controls and limitations for the crawler.


Enjoy!

I second HansE on the opinion that something is probably orrectly incorrectly in the application - two weeks for scanning a single target, especialy that you will be doing internal scans, it's way too much.
Actually this is the "secret" in using a vulnerability scanner correctly: make sure that the setup/profile/plug-ins used are designed to match your needs.

Regarding which resources to use, I think that HansE already pointed you to the right direction.

Good luck with your new task!

Thanks guys. Sil I'm surprised I was expecting much longer reply from you.   I figured you and H1tM0nk3y would have the best input (why I started the thread).

Definitely have things to look into.

sil's point is very valid.  Pre-canned tools will often give you good results, but you ALWAYS have to weigh the outcome against costs.  If you're simply testing your own company, and stealth is not an issue, then you should evaluate with as many tools and tests as possible.  But if you're contracted to test in a more covert manner, you're much better tailoring your testing to be more stealthy.

Pay close attention to the parameters that he pointed out, if you plan to continue to use the tool, as by learning to tweak the performance and stealth options, you'll get a better understanding of things.  sil has (as have I, and assuredly many others here on EH) spent time with these tools in the lab, where he could analyze results of various testing methods and parameters.  It goes a long way in helping you get better at what you do!

Your not working  for (or for a subsiduary of) sony are you?

If it was just the one client, and they accepted the time, I'd be good with it. But  we have to do more than just that client, and there in lies the problem.

Sil, Actually, I'm curious who you think it is I work for. PM me. Wouldn't surprise me if you do know who.

I try to keep my current employer and my connection limited on the net, partially to make it harder to be an SE target.  But I'm overly cautious about saying where I work currently, because of an event that happened at work. My supervisor got very strange when I already knew other people that worked there.