WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Tools comparison and evaluation question (AppScan)

From: "Talwar, Mansi" <mansi.talwar () fidelity co in>
Date: Fri, 17 Feb 2006 09:59:40 -0500
I have used AppScan for more than a year now.....the new version AppScan
6 is also now available......which has advanced functionalities like
resending test scripts of your own, etc...

I have heard of the Enterprise Edition too, but do not know much on
that.
It has given decent vulnerabilities, surely it can never be as efficient
as a manual Pen test....but after an extensive market survey, our
company had decided to use this finally.
In the past, it also gave me the UNIX password file being exposed. That
was one best finding I saw from AppScan. 


Regards 
-----------------------------------------------------------
Mansi Talwar




-----Original Message-----
From: King, Stuart (REHQ-LON) [mailto:Stuart.King () reedelsevier com] 
Sent: 17 February 2006 20:07
To: Serg Belokamen; webappsec () securityfocus com
Subject: RE: Tools comparison and evaluation question (AppScan)


I've used AppScan v5 and also tested other products by vendors such as
SPI
Dynamics.

My personal opinion is that AppScan was useful as a high level point and
shoot evaluation tool. But like all of these tools, it's important that
testing is followed by a proper pen test. The strength of AppScan is in
its
reporting and output - the reports look nice on a big screen as opposed
to a
more functional but less feature rich tool such as Typhon (which I think
is
excellent). However, unless you can meticulously go through the report
and
validate and weed out all of the "high risk" XSS vulns that it will be
reporting on, then they can be quite misleading if just used without
validation.

Personally, you can't beat doing a proper grey\white box test. For
example,
AppScan wont tell you about poorly implemented encryption and it wont
criticize a weak password policy. 

As for good open source tools - well, if you want to do a half decent
job of
testing the web app, you can't beat a mark 1 eyeball test of the source
code! I generally use a free proxy tool such as Paros and use the web
spidering functionality of Typhon, but the rest is just down to
experience. 

Note - just my opinion. Not trying to persuade anyone to buy or form an
opinion of the above mentioned software! There is plenty written about
all
of them elsewhere.


-----Original Message-----
From: Serg Belokamen [mailto:serg.belokamen () gmail com] 
Sent: 17 February 2006 07:04
To: webappsec () securityfocus com
Subject: Tools comparison and evaluation question (AppScan)

Hi All,

I am currently looking at using/evaluating a tool called AppScan (by
watchfire.com).

So the question is in two parts and ASAP reply would be greatly
appreciated.

First:
Without starting a flame war (hopefully) or marketing campaign
(another hopefully) can any one tell me abut their experience with the
software, what you find useful about it, what not, any annoyances,
missing functionality, etc.

Second:
Can anyone recommend any simular type of software, preferably open
source (although not at all essential), and describe its performance,
usability and "usefulness" so to speak using AppScan as a reference
point.

   Thanks,
       Serg

------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--

------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: