RE: Tools comparison and evaluation question (AppScan)

["Rui Pereira (WCG)" <wavefront1 () shaw ca>]

All,

Take a look at http://www.eweek.com/article2/0,1895,1815334,00.asp and
http://www.secureenterprisemag.com/article/printableArticle.jhtml?articleId=
169400383 for recent (relatively) comparisons of various web application
security evaluation products.

I have used SPI Dynamic's WebInspect for over a year now with great success.
We chose WI after comparing it with the competition, including Appscan. We
like the amount of control we had over the tests selected, in particular. WI
also does the manual/auto toggle thing. Appscan is more of a point-and-click
thing, for those not interested in what is happening under the hood (caveat:
This was my impression over a year ago. I have not looked at Appscan since.)

I have heard good things about Cenzic Hailstorm, but have not had a chance
to look at it.

And I second the use of Paros - for what it does and what it costs ($0) it
cannot be beat.

Thank You
 
Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA,CWNA
Principal Consultant

WaveFront Consulting Group
Certified Information Systems Security Professionals
 
wavefront1 () shaw ca | 1 (604) 961 0701


-----Original Message-----
From: Burke, Charles [mailto:Charles_Burke () HomeDepot com] 
Sent: February 17, 2006 4:45 AM
To: Serg Belokamen; webappsec () securityfocus com
Subject: RE: Tools comparison and evaluation question (AppScan)


I like AppScan's ability to allow manual and automatic toggle. I have also
used Paros (open source) and it works just as well.

-----Original Message-----
From: Serg Belokamen [mailto:serg.belokamen () gmail com] 
Sent: Friday, February 17, 2006 2:04 AM
To: webappsec () securityfocus com
Subject: Tools comparison and evaluation question (AppScan)


Hi All,

I am currently looking at using/evaluating a tool called AppScan (by
watchfire.com).

So the question is in two parts and ASAP reply would be greatly appreciated.

First:
Without starting a flame war (hopefully) or marketing campaign (another
hopefully) can any one tell me abut their experience with the software, what
you find useful about it, what not, any annoyances, missing functionality,
etc.

Second:
Can anyone recommend any simular type of software, preferably open source
(although not at all essential), and describe its performance, usability and
"usefulness" so to speak using AppScan as a reference point.

   Thanks,
       Serg

------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------




-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------