Rooting Out Web App Holes 
By Jim Rapoza (eWeek Mag)
March 13, 2006

Review: Web application penetration-testing tool veterans WebInspect and AppScan show they still have the right security stuff.

---

Despite all the attention that security holes in various operating systems get, the most likely avenue for successfully compromising a corporate system is a poorly developed Web-based application. It's essential, therefore, for developers to find potential problems before deploying a Web application to a live site.

That's where Web application penetration-testing products come in. These tools let developers perform exhaustive application scans to find known security holes or even poorly designed code that could potentially lead to a security breach.

For full story:
http://www.eweek.com/article2/0,1759,1937372,00.asp

Podcast with Peter Coffee and Jim Rapoza looks at recent reviews of Web security products:
http://www.eweek.com/article2/0,1759,1939546,00.asp

Don

Of course if you can't afford Webinspect, I recommend SARA and Nikto together.  They aren't as in-depth or as robust but are good nonetheless.

No not yet.  I think that once we get certified we may buy it.  It is pretty expensive like I think but don't quote me $20,000 for one machine and can scan unlimited number of IP addresses.  They give you a registry key that locks/binds the registration to only that specified machine.  We had a 30 day trial one one machine to scan 1 IP address.  I am lobbying for us to buy it.