Security Basics mailing list archives
Re: Best Commercial Vulnerability Scanner
From: "Andre Gironda" <andreg () gmail com>
Date: Fri, 15 Aug 2008 13:55:17 -0700
On Thu, Aug 14, 2008 at 10:45 AM, Danux <danuxx () gmail com> wrote:
We are doing vulnerability testing using SPI Dynamics with Mercury Quality Center to defect management but this tool is too expensive (SPI) and also when using with MQC it is too slow.
You could always test using a free, active testing tool such as Burp, Paros, DirBuster, DFF Scanner, JBroFuzz, sn00per, w3af, and Grendel-Scan, especially good combined with passive tools such as Pantera, Proxmon, and ratproxy. Syhunt and N-Stealth have free versions of their scanners. Acunetix, SPI, Cenzic, NTObjectives, and Watchfire demo versions can be modified: http://blog.clearnetsec.com/articles/2008/03/24/test-commercial-web-app-scanners-for-free-and-without-restrictions
do you know if [personal experience or other source] where i can have a comparison between those kind of products? I mean like SPI Dynamics, WatchFire, Acunetix, Cenzic, so on.
Out of those, I would not include Acunetic or Cenzic, as their products are very limited. Also see http://extra.fortifysoftware.com/blog/2008/08/space_race.html
We are looking cheaper costs, better performance and good vulnerability defect management.
You may want to consider a security code review tool if you already have access to the source code, which it sounds like you do. There are also at least three hybrid analysis tools on the market: SPI Dynamics DevInspect/SecureObjects, Watchfire AppScan DE, and Fortify PTA. Cheers, Andre
Current thread:
- Best Commercial Vulnerability Scanner Danux (Aug 14)
- Re: Best Commercial Vulnerability Scanner Andre Gironda (Aug 15)
- <Possible follow-ups>
- RE: Best Commercial Vulnerability Scanner Andy Cuff (Talisker) (Aug 15)
- Message not available
- RE: Best Commercial Vulnerability Scanner Andy Cuff (Talisker) (Aug 18)
- Message not available