The Ethical Hacker Network - Web App Pen Testing Products

Latest Additions

Who's Online

don

Editor-In-Chief
Administrator
Hero Member

Offline

Posts: 4167

Editor-In-Chief

Web App Pen Testing Products

« on: March 30, 2006, 03:20:54 PM »

Rooting Out Web App Holes
By Jim Rapoza (eWeek Mag)
March 13, 2006

Review: Web application penetration-testing tool veterans WebInspect and AppScan show they still have the right security stuff.

Despite all the attention that security holes in various operating systems get, the most likely avenue for successfully compromising a corporate system is a poorly developed Web-based application. It's essential, therefore, for developers to find potential problems before deploying a Web application to a live site.

That's where Web application penetration-testing products come in. These tools let developers perform exhaustive application scans to find known security holes or even poorly designed code that could potentially lead to a security breach.

For full story:
http://www.eweek.com/article2/0,1759,1937372,00.asp

Podcast with Peter Coffee and Jim Rapoza looks at recent reviews of Web security products:
http://www.eweek.com/article2/0,1759,1939546,00.asp

Don


	Logged

CISSP, MCSE, CSTA, Security+ SME

Dengar13

Sr. Member

Offline

Posts: 380

Re: Web App Pen Testing Products

« Reply #1 on: March 30, 2006, 03:34:49 PM »

I will vouch that Webinspect is the real deal! It rips the web server and finds tons of stuff, the reporting is sweet and it is worth the steep price if you are serious about web security. My company had a 30 free trial to scan 1 IP address and the damn thing yielded a 450+ page report. The box we tested was unpatched and an old version if IIS and it found everything from XSS to SQL injections and beyond. It scans for HIPAA, PCI, Sarbanes-Oxley requirements by themselves or combined. I highly suggest this product!!! 5 stars!


	Logged

A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

Dengar13

Sr. Member

Offline

Posts: 380

Re: Web App Pen Testing Products

« Reply #2 on: March 30, 2006, 03:36:18 PM »

Of course if you can't afford Webinspect, I recommend SARA and Nikto together. They aren't as in-depth or as robust but are good nonetheless.


	Logged

A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

tmartin

Recruiters
Newbie

Offline

Posts: 46

Re: Web App Pen Testing Products

« Reply #3 on: March 31, 2006, 07:37:05 AM »

Thanks for the input. Did your co buy it?


	Logged

Dengar13

Sr. Member

Offline

Posts: 380

Re: Web App Pen Testing Products

« Reply #4 on: March 31, 2006, 08:07:59 AM »

No not yet. I think that once we get certified we may buy it. It is pretty expensive like I think but don't quote me $20,000 for one machine and can scan unlimited number of IP addresses. They give you a registry key that locks/binds the registration to only that specified machine. We had a 30 day trial one one machine to scan 1 IP address. I am lobbying for us to buy it.