WebApp Sec mailing list archives
Re: out of box scanner
From: Brian Shura <bshura73 () gmail com>
Date: Thu, 26 Nov 2009 09:17:21 -0800
The Web Application Security Scanner Evaluation Criteria provides guidance on features that should be considered when evaluating scanners and advice on conducting an evaluation. I agree with Jon that obtaining evaluation licenses for these scanners and running them against a sample of your actual web applications will give you the best idea of which product best meets your needs.
http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
Brian Jon Kibler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Bennett wrote:I'm currently evaluating some commercial scanners and wanted to get a feel for others experiences with appscan/cenzic/webinspect. Any gotcha's with any of these products and can anybody recommend one over the other? thanks, JohnDo a fly-off in your environment. Each will give you 15-day demos. Run the demos concurrently so that you can compare and contrast results. If a scanner vastly under-preforms one of the competitors, contact their tech reps because you most likely have something misconfigured. Pick the scanner that finds the most non-false positives that the other scanners miss, has the least false negatives, best fits your working environment, and best integrates with other tools that you may be using. In two recent fly-offs with my clients, one vendor has consistently out-performed the competition -- and I was stunned to have found that was the case -- but, I do not want to prejudice your opinions by saying who. However, I would be interested in hearing who you choose and why. Best wishes, Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: Jon.Kibler () aset com e: Jon.R.Kibler () gmail com http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksOQU4ACgkQUVxQRc85QlM3DQCfZR9ciYZnxhMR6ANMDxr4MTi6 X90Anje4KqXYrD6TFL6JlTK2B8NyLHHv =lvjN -----END PGP SIGNATURE----- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus--------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- out of box scanner John Bennett (Nov 25)
- Re: out of box scanner Jon Kibler (Nov 26)
- Re: out of box scanner Brian Shura (Nov 26)
- Re: out of box scanner Erik Ilves (Nov 30)
- <Possible follow-ups>
- Re: out of box scanner Lawrence Pingree (Dec 01)
- Re: out of box scanner Jon Kibler (Nov 26)