Velocity Reviews - Vulnerability assessment for OS, XML, web services

SAD wrote:
> This article discusses XML and web services vulnerabilities based on
> libraries, operating systems, databases, protocols and so on.
>
> http://www.webservicessummit.com/Vulnerabilities.htm
>
> Can anyone recommend a vulnerability assessment tool that works for a
> network with a mix of software and operating systems?
>

For general scanning ISS works fairly well for vulnerability assessment,
there are a number of others however ISS has fewer false positives than
others I have worked with. False positives even with ISS can be a pain
in the petute as they too must be examined and ensure that the
vulnerability does not exist. This is much harder than confirming the
existence of a vulnerability. It looks for nix and winx vulnerabilities.

http://www.iss.net/

ISS however does not detect issues with website construction.

For that there are a number of tools however a good start to identify
website application issues however a good start is a tool by Spi
Dynamics called Web Inspect that will identify a number of exploitable
issues with website security irrespective of hosting OS. Note ISS
should also be run in conjunction with webinspect. Webinspect also may
be run against NIX and Winx hosts.

http://www.spidynamics.com/

There are other tools that assist in examining other facets of network
host vulnerability but these will get you 95% where you need to be on
assessment of network vulnerabilities. Without knowing further the
specific facets of what you wish an automated inspection of, I am
limited by space as to recommendations.

Winged