'[WEB SECURITY] RE: Recommendation for web app scanner'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    [WEB SECURITY] RE: Recommendation for web app scanner
From:       "Brian Shura" <bshura73 () gmail ! com>
Date:       2009-05-25 20:19:40
Message-ID: 004BE2D5753C4A6697539C78428597CF () appsec76
[Download RAW message or body]

I would suggest trying out a number of these tools to see which one best
meets your needs.  For the commercial scanners, it's easy to get a 2-week
evaluation license from the vendors if you want to see the capabilities of
the tool before making a purchase decision.  

The Web Application Scanner Evaluation Criteria (WASSEC) from WASC provides
a list of scanner capabilities that should be taken into consideration and
advice for conducting an evaluation.  I expect that we'll be releasing
Version 1 of the WASSEC within the next month, but at this point the draft
document is almost complete and is already being used to help "raise the
bar" for web application scanning tools.  This document can be found here:  

http://sites.google.com/site/wassec/final-draft

I would also suggest taking vague comments like "AppScan and WebInspect suck
now because they were bought by IBM and HP" with a grain of salt.  Give the
tools a try and decide for yourself whether or not they work for you.  If
there are things that you don't like about a particular tool or think need
to be improved, tell the vendor or developer and be as specific as possible.
If you're right and they care, it will lead to improvements in the tool. 

Thanks,
Brian

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Randal T. Rioux
Sent: Friday, May 22, 2009 1:06 PM
To: webappsec@securityfocus.com; js.lists@gmail.com
Subject: RE: Recommendation for web app scanner

Watchfire (AppScan) was great until IBM bought them (the Symantec
syndrome...).  WebInspect was great until HP bought them (HP just sucks all
around). It's a tough market for management friendly report generating Web
app scanners. 

NIST keeps a nice list:

http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html

I tested Hailstorm once, it didn't perform as well as I hoped for the asking
price. Good luck!

Randy

>I need a new web app scanner with features similar to Acunetix for 
>around the same price.
>
>We've been using Acunetix for a few years, but they won't return my 
>calls (is 3 enough?) to renew, so I'm moving on.
>
>I'm not experienced enough to do my own assessment by hand.
>
>I can't afford web app services like White Hat.
>
>Any help would be appreciated.
>
>



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic