I need your help in choosing some security tools. We will improve our security program and I have to propose some vulnerability scanning / penetration testing tools that we will buy.
Our network has around 3000 active IPs, and we have almost 40 IPs in the DMZ.
I have thought about some tools, and I should provide my managers some reasons why I did choose a particular one (for example in category Networks scanners I chose Nessus, and I can justify this on a Forrester research). Here are my categories and my picks:
1. Nessus (cheaper ~ 3600$ for 3 licenses, very good product, and we already have it)
2. Nexpose (very good but will cost us 40.000$ /year)
Database vulnerability scanners
1. DB Audit – good reviews; 4500$ for 10 servers
2. Appdetective – more expensive
3. Pangolin – amazing SQL injection tool. It costs 2000$ and maybe I will convince them to buy it together with DB Audit
1. Burpsuite pro – 225$ plus Accunetix – 5000$
2. Webinspect – 6000$
3. Appscan – 15.000$
1. Core impact – 20.000$ plus Metasploit framework
2. Metasploit express – 3000$
3. Saint exploit – 20.000$ ?
Besides this we will use some open source tools, but we need also good commercial tools (management get excited about support )
If I miss some categories please tell me.
So, I would like hear your suggestions and opinions.