6:06 PM -- Remember that Web application security scanning report that stirred so much debate last week? Well, NTObjectives, the company whose relatively unknown NTOSpider scanner swept IBM/Watchfires AppScan and HP/SPI Dynamics WebInspect in the report, has been hammered by several distributed denial-of-service (DDOS) attacks ever since the report started spreading around the blogosphere.
The attackers have used revolving IP addresses, according to NTObjectives's CEO JD Glaser, so it's been difficult for ISPs to block the sources of the attacks. Glaser says he doesn't know who's behind the attacks, but assumes it's just hackers trying to prove themselves. "Hopefully, it'll die down in a week or so," he says.
Glaser says the attacks have rendered the site inaccessible at times, but there's been no evidence that its servers have been compromised. So far, NTObjectives has been tuning its Web server and bringing a load-balancing solution online, according to Dan Kuykendall, director of engineering and information technologies for the company. "There's not a ton we can do with having a firewall block this kind of thing without risk of blocking legitimate users," he says.
Meanwhile, the Web app security scanner report written by independent consultant Larry Suto, was an attempt to quantify how well these tools actually perform. It measured the number of links the scanners crawled, the coverage of applications they test, number of vulnerabilities they found, and the number of false positives they generated.
According to Suto's results, NTOSpider basically kicked butt in all of the categories: AppScan missed 88 percent of the legitimate vulnerabilites found by NTOSpider, and WebInspect missed 95 percent of them. NTOSpider also came out with a 0 percent false positive rate, while AppScan had a 16 percent rate, and WebInspect, a 52 percent rate, according to the report.
Not surprisingly, the report drew both kudos and criticism over what features are most meaningful to measure, etc.
Kelly Jackson Higgins, Senior Editor, Dark Reading