Hey everyone,

I've been evaluating web application scanners for my company to invest in and was wondering which of these two you guys have experience with and recommend. I know there are open source tools that are just as good or better and discovering vulns, but I'm also interested in their reporting and compliance (FISMA) features.

I've tested out both of them (full evaluation license) against a test site and they both still miss a few vulnerabilities that I know are there. I'm leaning toward AppScan because I like the interface better and find it easier to get around in, but am open to suggestions.

Open source tools will still be a part of my toolkit - there's no doubt about that - but the company also wants to have an established "professional" scanner in place. I'm sure the rest of you are like me and don't like a scanner taking all the fun out of web app testing, but at least I'll still get to do manual testing after initial scans.

Thanks for your input.

Thanks for the input.
I actually had a Webex last week with Cenzic to go over Hailstorm. I'm working on getting an evaluation copy, but they won't give it out without setting up another Webex to go through the install process, so I'm still working that out.

The UI to Hailstorm didn't seam very intuitive and looked like it might be difficult to get around in. I'd like to test it out and see how it does finding vulnerabilities, but I wasn't very impressed with its presentation.

I guess I'll get an eval soon enough and will be able to test it. If it does a better job at finding vulnerabilities, then I don't care too much about the UI.