Richard, I'm not sure about SPI's product, but if you want to test the site for potential vulnerabilities and likely attack vectors, you can also try open source tools like nmap and nikto. Nikto in particular is good at checking Web servers in particular. There's Nessus as well, but they took that closed source; at least some versions of it survive in free and open source tho. Google any of the tool names for further information.
If the Web server itself is using VM tools like CMS pipelines and REXX, I would say you will be hard pressed to find scanner tools that address those. You may want to check OWASP, the Web Application security project, and look at the security of the system from the opposite point of view: were the applications developed with sound coding practices (i.e., are you checking all the inputs to eliminate buffer overflows and such). I would also guess that an application infrastructure based on CMS pipelines and REXX would be more secure/trusted than, say, PHP or full-blown Ruby based systems, since VM is more bullet proof to the types of mistakes that screw up Web apps, and the tools are so esoteric in this day and age. Of course, that also depends on how tempting the target is. Given the domain name of your e-mail, I would guess the target is very tempting indeed... --- Mark Boltz, CISSP, NSA-IAM, CSGI Sr. Solutions Architect [EMAIL PROTECTED] http://www.stonesoft.com Toll Free: 1.866.869.4075 Cell: 1.571.246.2233 Fax: 1.703.288.4811 Direct: 1.703.288.0208 8133 Leesburg Pike, Suite 610 Vienna, VA 22182-2730 USA "Schuh, Richard" <[EMAIL PROTECTED]> Sent by: The IBM To z/VM Operating IBMVM@LISTSERV.UARK.EDU System cc <[EMAIL PROTECTED] ARK.EDU> Subject Security Scans 01/17/2008 12:36 PM Please respond to The IBM z/VM Operating System <[EMAIL PROTECTED] ARK.EDU> Does anyone know if the SPI Dynamics AMP security scanner work on a VM-based web site? Another one of those rules like we discussed yesterday, the ones created in a vacuum? Since everything on the site is Rexx and CMS Pipelines, I have my doubts. Rexx, possibly (except for the non-compliant CMS file structure); CMS Pipelines, very unlikely. Regards, Richard Schuh