.

Web Application Scanners

<<

zr0crsh

Newbie
Newbie

Posts: 14

Joined: Tue Apr 24, 2007 8:31 am

Post Tue Jan 08, 2008 3:06 pm

Web Application Scanners

There has been a lot of talk about Web Application Scanners and their effectiveness. There are a lot of industry articles (Rolling Reviews, etc) blog posts and independent reviews (Larry Suto's paper) and the rebuttals from HP/IBM. I was wondering what the personal opinions of this forum's members are. Does anyone have a preferred WAS?

Cheers!
<<

LSOChris

Post Tue Jan 08, 2008 6:44 pm

Re: Web Application Scanners

free or for pay? managed or stuff that i scan myself?
<<

zr0crsh

Newbie
Newbie

Posts: 14

Joined: Tue Apr 24, 2007 8:31 am

Post Wed Jan 09, 2008 9:17 am

Re: Web Application Scanners

I'm interested in opinions on commercial scanner applications, not managed services.
<<

dean

Post Wed Jan 09, 2008 10:49 am

Re: Web Application Scanners

I'm really partial to HP/SPI Dynamics WebInspect myself. I use both WebInspect and Watchfire's AppScan Enterprise.

Watchfire does have better enterprise integration but SPI now has their Assessment Management Platform (AMP) that is for enterprise integration and multiple users, etc... so I'm not sure of how they compare at that level now.

Depending on your needs (are you QA, a developer, security, etc...) you would be best off by taking a site you have access to and comparing the results of all the tools. Look at Cenzic's offerings too.

You'll want to see their ability to assess web applications, ajax, etc... All of them will generate false positives and the results will need to be checked. Look at the ability of the tool to manually step through a site with you doing the 'driving', what toolset does it come with? Fuzzing tools, SQLi tools, bruteforcing tools, etc... What quality/amount of checks do each have, etc...?

While the automated scanning aspect of the tools are great and they do get rid of a lot of the 'low hanging fruit', you really want to manually assess the site in more detail after that.

hth,
dean

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software