WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AppSec tools

From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Wed, 2 Aug 2006 08:43:15 -0700 (PDT)
- High end tools such as WatchFire AppScan, Cenzic
Hailstorm, SPI Dynamics, etc..
- Mid range tools such as Accunetix
- Open source tools such as Paros Proxy, Nikto,
etc...
- Compare and contrast relative VALUE of each
option? 

On the top, I would rate tools/webproxies like
Paros/WebScrab. B'coz using those, you can conduct
exhaustive manual tests. I do run other automated
tools like AppScan, Nikto etc. But automated tools
sends generic tests, so output of automated tools is
just 10-20% of total findings [I believe my developers
collegues are getting smarter day-by-day...]. And most
of the reported vulnerabilities by automated tools are
false positives. 

For pentesting a web application, I would  suggest
manual tests using some webproxy and few other
supportive tools like SQL Injector, Cain and Abel,
Custom perl scripts etc.

Cheers,
Dhruv

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Do you test web applications for XSS, SQL Injections, Buffer Overflows, 
Logical issues and other web application security threats? Why not 
automate this work with Watchfire's AppScan, the world's leading 
automated web application scanner. Download AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701300000008BP9
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: