WebApp Sec mailing list archives
RE: Tools comparison and evaluation question (AppScan)
From: "Talwar, Mansi" <mansi.talwar () fidelity co in>
Date: Fri, 17 Feb 2006 09:59:40 -0500
I have used AppScan for more than a year now.....the new version AppScan 6 is also now available......which has advanced functionalities like resending test scripts of your own, etc... I have heard of the Enterprise Edition too, but do not know much on that. It has given decent vulnerabilities, surely it can never be as efficient as a manual Pen test....but after an extensive market survey, our company had decided to use this finally. In the past, it also gave me the UNIX password file being exposed. That was one best finding I saw from AppScan. Regards ----------------------------------------------------------- Mansi Talwar -----Original Message----- From: King, Stuart (REHQ-LON) [mailto:Stuart.King () reedelsevier com] Sent: 17 February 2006 20:07 To: Serg Belokamen; webappsec () securityfocus com Subject: RE: Tools comparison and evaluation question (AppScan) I've used AppScan v5 and also tested other products by vendors such as SPI Dynamics. My personal opinion is that AppScan was useful as a high level point and shoot evaluation tool. But like all of these tools, it's important that testing is followed by a proper pen test. The strength of AppScan is in its reporting and output - the reports look nice on a big screen as opposed to a more functional but less feature rich tool such as Typhon (which I think is excellent). However, unless you can meticulously go through the report and validate and weed out all of the "high risk" XSS vulns that it will be reporting on, then they can be quite misleading if just used without validation. Personally, you can't beat doing a proper grey\white box test. For example, AppScan wont tell you about poorly implemented encryption and it wont criticize a weak password policy. As for good open source tools - well, if you want to do a half decent job of testing the web app, you can't beat a mark 1 eyeball test of the source code! I generally use a free proxy tool such as Paros and use the web spidering functionality of Typhon, but the rest is just down to experience. Note - just my opinion. Not trying to persuade anyone to buy or form an opinion of the above mentioned software! There is plenty written about all of them elsewhere. -----Original Message----- From: Serg Belokamen [mailto:serg.belokamen () gmail com] Sent: 17 February 2006 07:04 To: webappsec () securityfocus com Subject: Tools comparison and evaluation question (AppScan) Hi All, I am currently looking at using/evaluating a tool called AppScan (by watchfire.com). So the question is in two parts and ASAP reply would be greatly appreciated. First: Without starting a flame war (hopefully) or marketing campaign (another hopefully) can any one tell me abut their experience with the software, what you find useful about it, what not, any annoyances, missing functionality, etc. Second: Can anyone recommend any simular type of software, preferably open source (although not at all essential), and describe its performance, usability and "usefulness" so to speak using AppScan as a reference point. Thanks, Serg ------------------------------------------------------------------------ - This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR l ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ - This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR l ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- FW: Tools comparison and evaluation question (AppScan), (continued)
- FW: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Serg B. (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)
- Re: Tools comparison and evaluation question (AppScan) Ratna Kumar (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Rui Pereira (WCG) (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Xyberpix (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Peter Wood (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) David Munge (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Peter Wood (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Xyberpix (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) King, Stuart (REHQ-LON) (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Talwar, Mansi (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) Brokken, Allen P. (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) Erwin Geirnaert (Feb 17)
- RE: (OWASP Web App Tool Project) Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
- RE: FW: Tools comparison and evaluation question (AppScan) Joe White (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
- Re: Tools comparison and evaluation question (AppScan) Tommy (Feb 19)
- RE: FW: Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
- Re: RE: Tools comparison and evaluation question (AppScan) mr . dan . friedman (Feb 19)
- RE: RE: Tools comparison and evaluation question (AppScan) Gavin, Michael (Feb 19)
- Re: RE: RE: Tools comparison and evaluation question (AppScan) david_allouch (Mar 22)
- FW: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)