Re: Which Commercial Web App Scanner?

["Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com>]

Hi Norma,

First I totally agree with Todd that you should eval all products
before buy any.

I work for N-Stalker as Security Engineer and I can tell you we have
an awesome product. For sure we have the biggest database of
vulnerabilites. Here our checks :
http://www.nstalker.com/products/security-checks

SCMagazine did a nice review
http://www.scmagazineus.com/N-Stalker-Web-Application-Security-Scanner/Review/2841/

Jeremiah posted some week ago a nice VA vendor comparison about vendors

Post: http://jeremiahgrossman.blogspot.com/2009/08/website-va-vendor-comparison-chart.html
Chart only: http://3.bp.blogspot.com/_JdybrokZBAk/Sp__NNP9WKI/AAAAAAAABtM/KKnNeTGMHEU/s1600-h/matrix.png

More info about N-Stalker

http://nstalker.com/about
http://nstalker.com/about/customers

Try an evaluation
http://www.nstalker.com/products/enterprise/request-evaluation

Hope it helps.

On Tue, Oct 13, 2009 at 5:52 PM, Todd Haverkos <infosec () haverkos com> wrote:
> Norma Snockers <norma.snockers () hotmail co uk> writes:
>
> > Folks,
> >
> > I've read the threads, last one about 5 months ago...
> >
> > http://seclists.org/webappsec/2009/q2/68
> >
> > and whilst very helpful, I'm still in a quandry.
> >
> > AppScan is expensive, so assuming that leaves WebInspect and
> > Acunetix which one would you personally choose?
>
> FYI, AppScan Standard and SPI Webinspect are priced similarly last
> time I checked, so I wouldn't be so quick to rule AppScan out.  You
> can download a trial of AppScan btw.  I wouldnt' buy any tool without
> test driving it against a representative site with which I was
> familiar.
>
> I've used both, and like any automated app scanner, both with flag
> things that turn out to be false positives, and neither are a
> substitute for manual testing and review of business logic, and the
> like, but they are both excellent at automating a wide range of
> fuzzing and link discovery tests.  My (admittedly biased) opinion
> tilts towards Appscan.
>
> I've not used Acunetix, but I've listened to more than a few podcasts
> where Ryan Jones and Chris Nickerson (of Tiger Team and Exotic
> Liability fame) are very frank in their thoughts about it.  It'd give
> me pause then to think of Acunetix in the same league as AppScan and
> SPI.
>
> --
> Todd Haverkos, LPT MsCompE
> http://haverkos.com/
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



--
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------