WebApp Sec mailing list archives
Re: Recommendation for web app scanner
From: "Randal T. Rioux" <randy () procyonlabs com>
Date: Wed, 27 May 2009 00:54:16 -0400
I agree that folks should try the products for themselves. Also, I didn't say why HP and IBM smudged the software. I guess I need to be more clear, as I've worked with them both extensively both before and after the mergings. Basically, they bought the products and gave up. The customer support disappeared and the quality diminished. This happens a lot when a large company buys the smaller, more specialized ones. It isn't specific to all large companies, but it is very prolific with some. That being said, any company that charges more than a few thousand dollars for their product will work with you extensively to sell you that product. Just don't trust their words on post-sale support. Check with others (as you did) both on lists and off to measure satisfaction. Randy Brian Shura wrote:
I would suggest trying out a number of these tools to see which one best meets your needs. For the commercial scanners, it's easy to get a 2-week evaluation license from the vendors if you want to see the capabilities of the tool before making a purchase decision. The Web Application Scanner Evaluation Criteria (WASSEC) from WASC provides a list of scanner capabilities that should be taken into consideration and advice for conducting an evaluation. I expect that we'll be releasing Version 1 of the WASSEC within the next month, but at this point the draft document is almost complete and is already being used to help "raise the bar" for web application scanning tools. This document can be found here: http://sites.google.com/site/wassec/final-draft I would also suggest taking vague comments like "AppScan and WebInspect suck now because they were bought by IBM and HP" with a grain of salt. Give the tools a try and decide for yourself whether or not they work for you. If there are things that you don't like about a particular tool or think need to be improved, tell the vendor or developer and be as specific as possible. If you're right and they care, it will lead to improvements in the tool. Thanks, Brian -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Randal T. Rioux Sent: Friday, May 22, 2009 1:06 PM To: webappsec () securityfocus com; js.lists () gmail com Subject: RE: Recommendation for web app scanner Watchfire (AppScan) was great until IBM bought them (the Symantec syndrome...). WebInspect was great until HP bought them (HP just sucks all around). It's a tough market for management friendly report generating Web app scanners. NIST keeps a nice list: http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html I tested Hailstorm once, it didn't perform as well as I hoped for the asking price. Good luck! RandyI need a new web app scanner with features similar to Acunetix for around the same price. We've been using Acunetix for a few years, but they won't return my calls (is 3 enough?) to renew, so I'm moving on. I'm not experienced enough to do my own assessment by hand. I can't afford web app services like White Hat. Any help would be appreciated.
Current thread:
- Recommendation for web app scanner Joe S (May 22)
- Re: Recommendation for web app scanner mittalu (May 25)
- RE: Recommendation for web app scanner SecLists Ertech Systems (May 25)
- Re: Recommendation for web app scanner Rory McCune (May 25)
- Re: Recommendation for web app scanner Matias N. Sliafertas (May 25)
- <Possible follow-ups>
- RE: Recommendation for web app scanner Randal T. Rioux (May 25)
- RE: Recommendation for web app scanner Brian Shura (May 25)
- Re: Recommendation for web app scanner Randal T. Rioux (May 26)
- Re: Recommendation for web app scanner Eric Marden (May 26)
- RE: Recommendation for web app scanner Brian Shura (May 25)