« Return to Thread: Recommendation for web app scanner
Re: Recommendation for web app scanner
by Randal T. Rioux
::
Rate this Message:
I agree that folks should try the products for themselves. Also, I
didn't say why HP and IBM smudged the software. I guess I need to be
more clear, as I've worked with them both extensively both before and
after the mergings.
Basically, they bought the products and gave up. The customer support
disappeared and the quality diminished. This happens a lot when a large
company buys the smaller, more specialized ones. It isn't specific to
all large companies, but it is very prolific with some.
That being said, any company that charges more than a few thousand
dollars for their product will work with you extensively to sell you
that product. Just don't trust their words on post-sale support. Check
with others (as you did) both on lists and off to measure satisfaction.
Randy
Brian Shura wrote:
> I would suggest trying out a number of these tools to see which one best
> meets your needs. For the commercial scanners, it's easy to get a 2-week
> evaluation license from the vendors if you want to see the capabilities of
> the tool before making a purchase decision.
>
> The Web Application Scanner Evaluation Criteria (WASSEC) from WASC provides
> a list of scanner capabilities that should be taken into consideration and
> advice for conducting an evaluation. I expect that we'll be releasing
> Version 1 of the WASSEC within the next month, but at this point the draft
> document is almost complete and is already being used to help "raise the
> bar" for web application scanning tools. This document can be found here:
>
> http://sites.google.com/site/wassec/final-draft
>
> I would also suggest taking vague comments like "AppScan and WebInspect suck
> now because they were bought by IBM and HP" with a grain of salt. Give the
> tools a try and decide for yourself whether or not they work for you. If
> there are things that you don't like about a particular tool or think need
> to be improved, tell the vendor or developer and be as specific as possible.
> If you're right and they care, it will lead to improvements in the tool.
>
> Thanks,
> Brian
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...] On
> Behalf Of Randal T. Rioux
> Sent: Friday, May 22, 2009 1:06 PM
> To: webappsec@...; js.lists@...
> Subject: RE: Recommendation for web app scanner
>
> Watchfire (AppScan) was great until IBM bought them (the Symantec
> syndrome...). WebInspect was great until HP bought them (HP just sucks all
> around). It's a tough market for management friendly report generating Web
> app scanners.
>
> NIST keeps a nice list:
>
> http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html
>
> I tested Hailstorm once, it didn't perform as well as I hoped for the asking
> price. Good luck!
>
> Randy
>
>> I need a new web app scanner with features similar to Acunetix for
>> around the same price.
>>
>> We've been using Acunetix for a few years, but they won't return my
>> calls (is 3 enough?) to renew, so I'm moving on.
>>
>> I'm not experienced enough to do my own assessment by hand.
>>
>> I can't afford web app services like White Hat.
>>
>> Any help would be appreciated.
>>
>>
>
>
didn't say why HP and IBM smudged the software. I guess I need to be
more clear, as I've worked with them both extensively both before and
after the mergings.
Basically, they bought the products and gave up. The customer support
disappeared and the quality diminished. This happens a lot when a large
company buys the smaller, more specialized ones. It isn't specific to
all large companies, but it is very prolific with some.
That being said, any company that charges more than a few thousand
dollars for their product will work with you extensively to sell you
that product. Just don't trust their words on post-sale support. Check
with others (as you did) both on lists and off to measure satisfaction.
Randy
Brian Shura wrote:
> I would suggest trying out a number of these tools to see which one best
> meets your needs. For the commercial scanners, it's easy to get a 2-week
> evaluation license from the vendors if you want to see the capabilities of
> the tool before making a purchase decision.
>
> The Web Application Scanner Evaluation Criteria (WASSEC) from WASC provides
> a list of scanner capabilities that should be taken into consideration and
> advice for conducting an evaluation. I expect that we'll be releasing
> Version 1 of the WASSEC within the next month, but at this point the draft
> document is almost complete and is already being used to help "raise the
> bar" for web application scanning tools. This document can be found here:
>
> http://sites.google.com/site/wassec/final-draft
>
> I would also suggest taking vague comments like "AppScan and WebInspect suck
> now because they were bought by IBM and HP" with a grain of salt. Give the
> tools a try and decide for yourself whether or not they work for you. If
> there are things that you don't like about a particular tool or think need
> to be improved, tell the vendor or developer and be as specific as possible.
> If you're right and they care, it will lead to improvements in the tool.
>
> Thanks,
> Brian
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...] On
> Behalf Of Randal T. Rioux
> Sent: Friday, May 22, 2009 1:06 PM
> To: webappsec@...; js.lists@...
> Subject: RE: Recommendation for web app scanner
>
> Watchfire (AppScan) was great until IBM bought them (the Symantec
> syndrome...). WebInspect was great until HP bought them (HP just sucks all
> around). It's a tough market for management friendly report generating Web
> app scanners.
>
> NIST keeps a nice list:
>
> http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html
>
> I tested Hailstorm once, it didn't perform as well as I hoped for the asking
> price. Good luck!
>
> Randy
>
>> I need a new web app scanner with features similar to Acunetix for
>> around the same price.
>>
>> We've been using Acunetix for a few years, but they won't return my
>> calls (is 3 enough?) to renew, so I'm moving on.
>>
>> I'm not experienced enough to do my own assessment by hand.
>>
>> I can't afford web app services like White Hat.
>>
>> Any help would be appreciated.
>>
>>
>
>
« Return to Thread: Recommendation for web app scanner
| Free embeddable forum powered by Nabble | Forum Help |
