Penetration Testing mailing list archives
RE: Which Commercial Web App Scanner?
From: "Darren Webb" <spyder007 () charter net>
Date: Thu, 15 Oct 2009 22:42:29 -0500
Hello Norma, If I might add my small contribution to this discussion, (And I am going on the premise that you haven't already done this) you might also want to check out the SANS SEC 542 class that is done by Kevin Johnson. I have been doing testing for a while and this class was a great way to refine my methodology and techniques. (Learn more about the "why" and "when" that is behind the "how".) You will also be exposed to a lot of really interesting open source tools that can aid in your manual tests. (These tools also can help shape your ideas when it comes to a commercial tool) I would also recommend that you check with the Hailstorm guys to see if that price still is in effect. (I am a former Hailstorm user) I like Hailstorm because out of all the commercial tools I have used, it had the most "open source" feel (I.E. you could modify the scans and attacks "under the hood" so to speak - and in my experience next to accuracy, flexibility is one of the most important assets a tool can have.) Hope that helps. Darren -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Norma Snockers Sent: Thursday, October 15, 2009 2:25 AM To: pen-test () securityfocus com Subject: RE: Which Commercial Web App Scanner? Thanks for all the replies so far, all good info for digestion. I appreciate it's a developing field, subject to rapid change and no substitute for manual testing. I intend to use as a timesaving tool alongside manual testing to enhance/develop my experience/understanding. I wasn't aware of Hailstorm and found this review http://www.scmagazineus.com/Cenzic-Hailstorm/Review/1081/ - although it is early last year and may have changed. If the price is still current then although it might be the better product, this places it out of reach budget-wise compared to the opposition. Netsparker also looks intriguing http://www.mavitunasecurity.com/ - has anyone become a beta tester who can comment? I've seen the test comparison between my 3 original possibles here http://drop.io/anantasecfiles which seems to indicate that Acunetix (plus Acusensor) could be the best? AppScan found much more against its own test website than the others, and likewise WebInspect - to be expected perhaps. Still investigating. ----------------------------------------
From: norma.snockers () hotmail co uk To: pen-test () securityfocus com Subject: Which Commercial Web App Scanner? Date: Sat, 10 Oct 2009 07:31:56 +0000 Folks, I've read the threads, last one about 5 months ago... http://seclists.org/webappsec/2009/q2/68 and whilst very helpful, I'm still in a quandry. AppScan is expensive, so assuming that leaves WebInspect and Acunetix
which one would you personally choose?
I've done a very small amount of evaluation - I like the initial feel of Acunetix (and it includes GHDB checks - however is that really needed?), but my head is saying WebInspect. I've seen people recommend both. If you were to make a final decision, which would you buy between Acunetix
and WebInspect (to be used in conjunction with open source tools) - based purely on the usability, functionality and efficiency of the product, not the aftersales support?
Many thanks. _________________________________________________________________ Use Hotmail to send and receive mail from your different email accounts. http://clk.atdmt.com/UKM/go/167688463/direct/01/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
_________________________________________________________________ Did you know you can get Messenger on your mobile? http://clk.atdmt.com/UKM/go/174426567/direct/01/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- RE: Which Commercial Web App Scanner?, (continued)
- RE: Which Commercial Web App Scanner? Onur YILMAZ (Oct 13)
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 15)
- Message not available
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 19)
- Re: Which Commercial Web App Scanner? Ivan . (Oct 21)
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 15)
- Message not available
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)
- RE: Which Commercial Web App Scanner? Onur YILMAZ (Oct 13)
- Re: Which Commercial Web App Scanner? Rodrigo Montoro(Sp0oKeR) (Oct 15)
- Re: Which Commercial Web App Scanner? Eric Milam (Oct 15)
- RE: Which Commercial Web App Scanner? Darren Webb (Oct 19)
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)
- Re: Which Commercial Web App Scanner? Luca Carettoni (Oct 19)
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)