RE: Of the three expensive vulnerability scanners

["Don Tuer" <don.tuer () cgi com>]

Excellent paper, should be mandatory reading for all developers! Thanks.

-----Original Message-----
From: Joe Basirico [mailto:jbasirico () sisecure com] 
Sent: Thursday, October 07, 2004 9:09 PM
To: managingrisk () gmail com; webappsec () securityfocus com
Subject: RE: Of the three expensive vulnerability scanners

I recently wrote a security report on vulnerability scanners that you
might
want to check out. I reviewed 25 scanners that might help you make a
decision. In my report I talk about what scanners do and how they do it,
then in the Tool review (last page) each tool is individually reviewed
with
an overview, strengths, weaknesses, price and some other criteria. This
Security Report was intended for the audience to decide which tools
hackers
are learning to help compromise your servers.

This is normally a subscription only report but it's free until November
30th.

http://www.securityinnovation.com/security-report/vulnScanners1.htm

Thank you,
Joe Basirico
SECURITYINNOVATION - Software Security Engineer
http://www.securityinnovation.com
jbasirico () sisecure com
206-227-6458

 -----Original Message-----
From: managingrisk () gmail com [mailto:managingrisk () gmail com] 
Sent: Thursday, October 07, 2004 8:31 AM
To: webappsec () securityfocus com
Subject: Of the three expensive vulnerability scanners



I am trying to decide which of the three, supposedly "grade A"
application
vulnerability scanners suits our needs the best. I am looking at :

1. AppScan
2. Scando
3. WebInspect

(are there others I should be looking at ? )

Obviously, each claims to be the best. That's why I look to you folks to
help me out here. I would appreciate it if members of the list would
share
with me their experiences with the tools I listed above. Specifically
around
what their weaknesses, strengths, gotchas, etc are.

Personally I have been using Atstake's WebProxy and I am not impressed
with
it at all.

Thank you.