Which Commercial Web App Scanner?

Folks,

I've read the threads, last one about 5 months ago...

http://seclists.org/webappsec/2009/q2/68

and whilst very helpful, I'm still in a quandry.

AppScan is expensive, so assuming that leaves WebInspect and Acunetix which one would you personally choose?

I've done a very small amount of evaluation - I like the initial feel of
Acunetix (and it includes GHDB checks - however is that really
needed?), but my head is saying WebInspect.  I've seen people recommend
both.

If you were to make a final decision, which would you buy between Acunetix and WebInspect (to be used in conjunction with open source tools) - based purely on the usability, functionality and efficiency of the product, not the aftersales support?

Many thanks.    
_________________________________________________________________
Use Hotmail to send and receive mail from your different email accounts.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hi,

You can try it Netsparker Web Application Security Scanner:
www.mavitunasecurity.com

Regards.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Norma Snockers
Sent: Saturday, October 10, 2009 10:32 AM
To: pen-test@...
Subject: Which Commercial Web App Scanner?


Folks,

I've read the threads, last one about 5 months ago...

http://seclists.org/webappsec/2009/q2/68

and whilst very helpful, I'm still in a quandry.

AppScan is expensive, so assuming that leaves WebInspect and Acunetix which
one would you personally choose?

I've done a very small amount of evaluation - I like the initial feel of
Acunetix (and it includes GHDB checks - however is that really
needed?), but my head is saying WebInspect.  I've seen people recommend
both.

If you were to make a final decision, which would you buy between Acunetix
and WebInspect (to be used in conjunction with open source tools) - based
purely on the usability, functionality and efficiency of the product, not
the aftersales support?

Many thanks.    
_________________________________________________________________
Use Hotmail to send and receive mail from your different email accounts.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hi Norma

I already used 3 differents of Web App Scanners in my company. Acunetix, AppScan and N-Stalker. Acunetix and N-Stalker is more cheap, however we got a lot of false-positivies with Acunetix. N-Stalker do the job, but not so well like AppScan. About the HP WebInspect i recently did a training of SecureSphere - Imperva and the instructor recommended that tool, but i never used.

In my opinion take the HP WebInspect.

Regards,

Rodrigo Matuck Roque
Security Analyst - Penetration Tester

-----Mensagem original-----
De: listbounce@... [mailto:listbounce@...] Em nome de Norma Snockers
Enviada em: sábado, 10 de outubro de 2009 04:32
Para: pen-test@...
Assunto: Which Commercial Web App Scanner?


Folks,

I've read the threads, last one about 5 months ago...

http://seclists.org/webappsec/2009/q2/68

and whilst very helpful, I'm still in a quandry.

AppScan is expensive, so assuming that leaves WebInspect and Acunetix which one would you personally choose?

I've done a very small amount of evaluation - I like the initial feel of
Acunetix (and it includes GHDB checks - however is that really
needed?), but my head is saying WebInspect.  I've seen people recommend
both.

If you were to make a final decision, which would you buy between Acunetix and WebInspect (to be used in conjunction with open source tools) - based purely on the usability, functionality and efficiency of the product, not the aftersales support?

Many thanks.    
_________________________________________________________________
Use Hotmail to send and receive mail from your different email accounts.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

--

Esta mensagem (incluindo qualquer anexo) é confidencial e legalmente protegida, somente podendo ser usada pelo individuo ou entidade a quem foi endereçada. Caso você a tenha recebido por engano, deverá devolver ao remetente e, posteriormente apagar, pois a disseminação, encaminhamento, uso, impressão ou cópia do conteúdo desta mensagem são expressamente proibidos.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should return and then delete this message. Any disclosure, copying, printing, use or distribution of this message, or the taking of any part is ilegal.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

I would suggest identifying what you need before selecting a product.
The Web Application Security Consortium has just published a guide on how to do exactly this
at http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria .

Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
http://www.qasec.com/


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Norma Snockers <norma.snockers@...> writes:

FYI, AppScan Standard and SPI Webinspect are priced similarly last
time I checked, so I wouldn't be so quick to rule AppScan out.  You
can download a trial of AppScan btw.  I wouldnt' buy any tool without
test driving it against a representative site with which I was
familiar.

I've used both, and like any automated app scanner, both with flag
things that turn out to be false positives, and neither are a
substitute for manual testing and review of business logic, and the
like, but they are both excellent at automating a wide range of
fuzzing and link discovery tests.  My (admittedly biased) opinion
tilts towards Appscan.

I've not used Acunetix, but I've listened to more than a few podcasts
where Ryan Jones and Chris Nickerson (of Tiger Team and Exotic
Liability fame) are very frank in their thoughts about it.  It'd give
me pause then to think of Acunetix in the same league as AppScan and
SPI.

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

I am learning Acunetix now and when used properly it is very effective.
The Blind SQL injection piece is nice.

You just really have to know the tool you are using.  If it is an
awesome tool, but you don't know anything about it, the net result is
that your results will suck.


On Tue, 2009-10-13 at 15:52 -0500, Todd Haverkos wrote:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

On Sat, Oct 10, 2009 at 3:31 AM, Norma Snockers
<norma.snockers@...> wrote:
Norma,

If you do end up settling on AppScan, definitely go for the "Standard"
or desktop edition. The "Enterprise" version isn't nearly as much fun
when it comes time to weed out the false positives. I'll often run a
scan with Enterprise and revert back to the Desktop version just for
coming up with a working proof of concept. Developers don't like to be
told their code is shit and will often say AppScan is "wrong", so I'm
always ready to illustrate. That glazed over look they give when a
dumped user table or other sensitive information is displayed in their
app is priceless. Just one of the many reasons I love my job :]

Guy P.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

On Sat, Oct 10, 2009 at 3:31 AM, Norma Snockers
<norma.snockers@...> wrote:
I've used WebInspect since before HP acquired SpiDynamics. WebInspect
is a decent product from a use perspective but I have been severely
disappointed with the degradation of customer service since HP
acquired them. Our last renewal with them was a disaster. All we
wanted from them was an invoice with a PO number on it. Our license
lapsed for two months (no updates) while HP sorted it out. I asked
them for a make good of a two month extension which is a not
unreasonable request under the circumstances.
Despite promises from people at various levels that we would be taken
care of, nothing was done. They did give me a free t-shirt at RSA as
the product manager was promising that this would be taken care of.

Despite my liking the product and having used it for a while, we are
planning on switching to Cenzic/Hailstorm when our support
subscription expires this year.

I can't speak to Acunetix.

Folks on the client side should never forget that it is not just the
product but how the technical support and customer service can impact
you and your operations. Vendors should remember that treating a
customer poorly may result in their going to another vendor and
possibly speaking out publicly about why they walked.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Thanks for all the replies so far, all good info for digestion. I appreciate it's a developing field, subject to rapid change and no substitute for manual testing.

I intend to use as a timesaving tool alongside manual testing to enhance/develop my experience/understanding.

I wasn't aware of Hailstorm and found this review http://www.scmagazineus.com/Cenzic-Hailstorm/Review/1081/ - although it is early last year and may have changed.  If the price is still current then although it might be the better product, this places it out of reach budget-wise compared to the opposition.

Netsparker also looks intriguing http://www.mavitunasecurity.com/ - has anyone become a beta tester who can comment?

I've seen the test comparison between my 3 original possibles here http://drop.io/anantasecfiles which seems to indicate that Acunetix (plus Acusensor) could be the best?  AppScan found much more against its own test website than the others, and likewise WebInspect - to be expected perhaps.

Still investigating.






----------------------------------------      
_________________________________________________________________
Did you know you can get Messenger on your mobile?
http://clk.atdmt.com/UKM/go/174426567/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Onur YILMAZ escribió:
> You can try it Netsparker Web Application Security Scanner:
> www.mavitunasecurity.com

Any idea about the (aprox.) price? I had a quick look to their website and
it's currently in beta stage, I don't think they are selling yet. Since
they're beginning, I suppose it should be more near to Acunetix's price
range than Appscan/Webinspect's but who knows...


PS: Norma, if you discarded Appscan due to its price then forget WebInspect
too!. It will also be more difficult for you to get an eval version from a
big company like HP or IBM, than from smaller ones (I'd evaluate Acunetix,
if I were you).

Cheers,
-Roman

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hi Norma,

First I totally agree with Todd that you should eval all products
before buy any.

I work for N-Stalker as Security Engineer and I can tell you we have
an awesome product. For sure we have the biggest database of
vulnerabilites. Here our checks :
http://www.nstalker.com/products/security-checks

SCMagazine did a nice review
http://www.scmagazineus.com/N-Stalker-Web-Application-Security-Scanner/Review/2841/

Jeremiah posted some week ago a nice VA vendor comparison about vendors

Post: http://jeremiahgrossman.blogspot.com/2009/08/website-va-vendor-comparison-chart.html
Chart only: http://3.bp.blogspot.com/_JdybrokZBAk/Sp__NNP9WKI/AAAAAAAABtM/KKnNeTGMHEU/s1600-h/matrix.png

More info about N-Stalker

http://nstalker.com/about
http://nstalker.com/about/customers

Try an evaluation
http://www.nstalker.com/products/enterprise/request-evaluation

Hope it helps.

On Tue, Oct 13, 2009 at 5:52 PM, Todd Haverkos <infosec@...> wrote:


--
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hello Norma,

If I might add my small contribution to this discussion, (And I am going on
the premise that you haven't already done this) you might also want to check
out the SANS SEC 542 class that is done by Kevin Johnson. I have been doing
testing for a while and this class was a great way to refine my methodology
and techniques. (Learn more about the "why" and "when" that is behind the
"how".) You will also be exposed to a lot of really interesting open source
tools that can aid in your manual tests. (These tools also can help shape
your ideas when it comes to a commercial tool)

I would also recommend that you check with the Hailstorm guys to see if that
price still is in effect. (I am a former Hailstorm user) I like Hailstorm
because out of all the commercial tools I have used, it had the most "open
source" feel (I.E. you could modify the scans and attacks "under the hood"
so to speak - and in my experience next to accuracy, flexibility is one of
the most important assets a tool can have.)

Hope that helps.

Darren
 

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Norma Snockers
Sent: Thursday, October 15, 2009 2:25 AM
To: pen-test@...
Subject: RE: Which Commercial Web App Scanner?


Thanks for all the replies so far, all good info for digestion. I appreciate
it's a developing field, subject to rapid change and no substitute for
manual testing.

I intend to use as a timesaving tool alongside manual testing to
enhance/develop my experience/understanding.

I wasn't aware of Hailstorm and found this review
http://www.scmagazineus.com/Cenzic-Hailstorm/Review/1081/ - although it is
early last year and may have changed.  If the price is still current then
although it might be the better product, this places it out of reach
budget-wise compared to the opposition.

Netsparker also looks intriguing http://www.mavitunasecurity.com/ - has
anyone become a beta tester who can comment?

I've seen the test comparison between my 3 original possibles here
http://drop.io/anantasecfiles which seems to indicate that Acunetix (plus
Acusensor) could be the best?  AppScan found much more against its own test
website than the others, and likewise WebInspect - to be expected perhaps.

Still investigating.






---------------------------------------- which one would you personally choose?
>
> I've done a very small amount of evaluation - I like the initial feel of
> Acunetix (and it includes GHDB checks - however is that really
> needed?), but my head is saying WebInspect.  I've seen people recommend
> both.
>
> If you were to make a final decision, which would you buy between Acunetix
and WebInspect (to be used in conjunction with open source tools) - based
purely on the usability, functionality and efficiency of the product, not
the aftersales support?
>
> Many thanks.
> _________________________________________________________________
> Use Hotmail to send and receive mail from your different email accounts.
> http://clk.atdmt.com/UKM/go/167688463/direct/01/
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
Board
>
> Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
     
_________________________________________________________________
Did you know you can get Messenger on your mobile?
http://clk.atdmt.com/UKM/go/174426567/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Dan Anderson escribió:
> 2009/10/15 Roman Medina-Heigl Hernandez <roman@...>:
>> PS: Norma, if you discarded Appscan due to its price then forget WebInspect
>> too!. It will also be more difficult for you to get an eval version from a
>> big company like HP or IBM, than from smaller ones (I'd evaluate Acunetix,
>> if I were you).
>
> FUD.

Mmmmm... let's see...

> http://www.ibm.com/developerworks/downloads/r/appscan/standarded.html?S_TACT=105AGX23&S_CMP=rnav

"With the evaluation license you can scan only a test Web site, Altoro
Mutual at http://demo.testfire.net."

When I say "evaluation" I mean a *real* evaluation. If you consider that
launching the app against a specially and "carefully prepared" environment
is sufficient to evaluate a product then I wouldn't hire you to perform an
eval job :) Please, let's be serious, Dan.

> https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__

Same applies here. Now try to contact them for any tech (or non-tech)
question about its product, evaluation conditions, eval license extension, etc.

This case is real: I had 1-2 weeks to perform some quick eval and tried to
contact them using the page you provided (or similar, I don't recall; you
are not the only one who knows how to fill in a Google form and hit the
enter key). I never got it... because when a person was (supposedly) ready
to send me the eval license, 3-4 weeks had spent and I was out of my eval
time, so I aborted it :)

It is so simple: big company == more burocracy == more time.

> Two seconds with Google is your friend.

Two seconds reading the former URLs, or (more time to) simply trying to ask
for a real eval opportunity, and you could avoid embarrassing yourself in a
public mailing-list :)

Cheers,
-Roman

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

 <000001ca4e12$b001b440$10051cc0$@net>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0


Hi Darren=2C
=20
I've done 542 last year with Raul. It's a good course - now extended I beli=
eve. It was a bit of a rush to cram all the aspects in so was needed.
=20
I've had Hailstorm come back to me by email so another to add to the list.
=20
Thanks.

----------------------------------------
> From: spyder007@...
> To: norma.snockers@...=3B pen-test@...
> Subject: RE: Which Commercial Web App Scanner?
> Date: Thu=2C 15 Oct 2009 22:42:29 -0500
>
> Hello Norma=2C
>
> If I might add my small contribution to this discussion=2C (And I am goin=
g on
> the premise that you haven't already done this) you might also want to ch=
eck
> out the SANS SEC 542 class that is done by Kevin Johnson. I have been doi=
ng
> testing for a while and this class was a great way to refine my methodolo=
gy
> and techniques. (Learn more about the "why" and "when" that is behind the
> "how".) You will also be exposed to a lot of really interesting open sour=
ce
> tools that can aid in your manual tests. (These tools also can help shape
> your ideas when it comes to a commercial tool)
>
> I would also recommend that you check with the Hailstorm guys to see if t=
hat
> price still is in effect. (I am a former Hailstorm user) I like Hailstorm
> because out of all the commercial tools I have used=2C it had the most "o=
pen
> source" feel (I.E. you could modify the scans and attacks "under the hood=
"
> so to speak - and in my experience next to accuracy=2C flexibility is one=
 of
> the most important assets a tool can have.)
>
> Hope that helps.
>
> Darren
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...] =
On
> Behalf Of Norma Snockers
> Sent: Thursday=2C October 15=2C 2009 2:25 AM
> To: pen-test@...
> Subject: RE: Which Commercial Web App Scanner?
>
>
> Thanks for all the replies so far=2C all good info for digestion. I appre=
ciate
> it's a developing field=2C subject to rapid change and no substitute for
> manual testing.
>
> I intend to use as a timesaving tool alongside manual testing to
> enhance/develop my experience/understanding.
>
> I wasn't aware of Hailstorm and found this review
> http://www.scmagazineus.com/Cenzic-Hailstorm/Review/1081/ - although it i=
s st
> website than the others=2C and likewise WebInspect - to be expected perha=
ps. etix
> and WebInspect (to be used in conjunction with open source tools) - based
> purely on the usability=2C functionality and efficiency of the product=2C=
 not rd
>
> Prove to peers and potential employers without a doubt that you can actua=
lly
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
    =20
_________________________________________________________________
Access your other email accounts and manage all your email from one place.
http://clk.atdmt.com/UKM/go/167688463/direct/01/=

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

 <9392ab960910151430s75d9cd0bkfff8882a6f351ad3@...>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0


The licencing is totally different between products and therefore you also =
have to factor in  how long you intend to keep using the tool. It might cos=
t more in the short term For flexibility=2C ie if you want to look around a=
gain next renewal date. Licences vary between same cost per year=2C high co=
st first year reducing thereafter=2C and one off high payment for the softw=
are=2C support costs annually.

I have no problem with obtaining a proper eval version - I was just asking =
for real world experiences to help me decide - it would be really good for =
one product to stand head and shoulders above the rest - they all have thei=
r strengths and weaknesses=2C likes and dislikes.

Regards=2C

NS

----------------------------------------
> Date: Thu=2C 15 Oct 2009 16:30:02 -0500
> Subject: Re: Which Commercial Web App Scanner?
> From: dan-anderson@...
> To: roman@...
> CC: contact@...=3B norma.snockers@...=3B pen-test@s=
ecurityfocus.com
>
> 2009/10/15 Roman Medina-Heigl Hernandez :
>> PS: Norma=2C if you discarded Appscan due to its price then forget WebIn=
spect
>> too!. It will also be more difficult for you to get an eval version from=
 a
>> big company like HP or IBM=2C than from smaller ones (I'd evaluate Acune=
tix=2C
>> if I were you).
>
> FUD.
>
> http://www.ibm.com/developerworks/downloads/r/appscan/standarded.html?S_T=
ACT=3D105AGX23&S_CMP=3Drnav
>
> https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=3Dbt=
o&cp=3D1-11-201-200^9570_4000_100__
>
> Two seconds with Google is your friend.
>
> Dan
    =20
_________________________________________________________________
Access your other email accounts and manage all your email from one place.
http://clk.atdmt.com/UKM/go/167688463/direct/01/=

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

 <88e844b40910140651g3a8662ei3349e2b4f10df836@...>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0



It would be the Standard version - but are WebInspect and Acunetix able to =
do the same?

The test blog I saw (and linked to in an earlier mail) said that AppScan wa=
s the worst in almost all cases=2C Acunetix (with AcuSensor) the better of =
the 3 for finding problems and all round capability.

Anyone any comments about how good AcuSensor is?

Kind Regards=2C

NS

---------------------------------------- which one would you personally choose?
>>
>> I've done a very small amount of evaluation - I like the initial feel of
>> Acunetix (and it includes GHDB checks - however is that really
>> needed?)=2C but my head is saying WebInspect.  I've seen people recommen=
d
>> both.
>>
>> If you were to make a final decision=2C which would you buy between Acun=
etix and WebInspect (to be used in conjunction with open source tools) - ba=
sed purely on the usability=2C functionality and efficiency of the product=
=2C not the aftersales support? rd
>
> Prove to peers and potential employers without a doubt that you can actua=
lly do a proper penetration test. IACRB CPT and CEPT certs require a full p=
ractical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
    =20
_________________________________________________________________
Did you know you can get Messenger on your mobile?
http://clk.atdmt.com/UKM/go/174426567/direct/01/=

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

On Thursday 15 October 2009, Norma Snockers wrote:
> Netsparker also looks intriguing http://www.mavitunasecurity.com/ - has
> anyone become a beta tester who can comment?

Hi,
    I'm currently testing the latest version of Netsparker and it is really
promising. You may consider to join the beta.

As a pentester, I really enjoy the focus on exploiting. It is not just a web
application scanner since you can actually confirm vulnerabilities on demand.
The GUI is well designed and it's easy to use.

Obviously, at this stage, it cannot be fully compared  (in term of software
maturity) with other commercial scanners (Acunetix, Appscan, ...).
However, in the next future, it may be the right solution between pure
automatic scanners and manual tools.

Cheers,
Luca

--
Luca Carettoni
http://blog.nibblesec.org

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Ill throw this in the mix

Automated Security Testing - Can't I Just Point-n-Click? (Part 1)
http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2009/10/16/security-testing-can-t-i-just-point-n-click.aspx

On Fri, Oct 16, 2009 at 6:39 PM, Roman Medina-Heigl Hernandez
<roman@...> wrote:
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------