WebApp Sec mailing list archives
Re: AppSec tools
From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Wed, 2 Aug 2006 08:43:15 -0700 (PDT)
- High end tools such as WatchFire AppScan, Cenzic Hailstorm, SPI Dynamics, etc.. - Mid range tools such as Accunetix - Open source tools such as Paros Proxy, Nikto, etc... - Compare and contrast relative VALUE of each option?
On the top, I would rate tools/webproxies like Paros/WebScrab. B'coz using those, you can conduct exhaustive manual tests. I do run other automated tools like AppScan, Nikto etc. But automated tools sends generic tests, so output of automated tools is just 10-20% of total findings [I believe my developers collegues are getting smarter day-by-day...]. And most of the reported vulnerabilities by automated tools are false positives. For pentesting a web application, I would suggest manual tests using some webproxy and few other supportive tools like SQL Injector, Cain and Abel, Custom perl scripts etc. Cheers, Dhruv __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire Do you test web applications for XSS, SQL Injections, Buffer Overflows, Logical issues and other web application security threats? Why not automate this work with Watchfire's AppScan, the world's leading automated web application scanner. Download AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701300000008BP9 --------------------------------------------------------------------------
Current thread:
- AppSec tools it_strategy (Aug 01)
- Re: AppSec tools Dhruv Soi (Aug 02)