Larry Suto

Industry research such as Larry Suto’s is often superficial and at times driven by external motivations. So where should we derive our research data from? While one answer may be to forgo with research data all together, another option that comes to mind is academic research. An academic paper comparing vulnerability discovery techniques that I encountered is a good test case for that...

Larry Suto, who brought scanners wars 1 and 2 has published a WAF effectiveness research. As usual, Larry’s work is fun to dissect. While Larry’s research is not worse than your average analyst’s work, he does try to base his conclusion on more concrete and pseudo-scientific research making it much more vulnerable to scrutiny.

Larry Suto, an application security consultant, publish a sequel to his 2007 best seller research about web application scanners. In the first round Larry managed to ignite quite a controversy and drew a lot of criticism from the loosing vendors. The reason is simple: Larry found out that the scanners do not perform as well as advertised.