Penetration Testing mailing list archives
RE: Which Commercial Web App Scanner?
From: Norma Snockers <norma.snockers () hotmail co uk>
Date: Fri, 16 Oct 2009 17:57:40 +0000
<000001ca4e12$b001b440$10051cc0$@net> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Hi Darren=2C =20 I've done 542 last year with Raul. It's a good course - now extended I beli= eve. It was a bit of a rush to cram all the aspects in so was needed. =20 I've had Hailstorm come back to me by email so another to add to the list. =20 Thanks. ----------------------------------------
From: spyder007 () charter net To: norma.snockers () hotmail co uk=3B pen-test () securityfocus com Subject: RE: Which Commercial Web App Scanner? Date: Thu=2C 15 Oct 2009 22:42:29 -0500 Hello Norma=2C If I might add my small contribution to this discussion=2C (And I am goin=
g on
the premise that you haven't already done this) you might also want to ch=
eck
out the SANS SEC 542 class that is done by Kevin Johnson. I have been doi=
ng
testing for a while and this class was a great way to refine my methodolo=
gy
and techniques. (Learn more about the "why" and "when" that is behind the "how".) You will also be exposed to a lot of really interesting open sour=
ce
tools that can aid in your manual tests. (These tools also can help shape your ideas when it comes to a commercial tool) I would also recommend that you check with the Hailstorm guys to see if t=
hat
price still is in effect. (I am a former Hailstorm user) I like Hailstorm because out of all the commercial tools I have used=2C it had the most "o=
pen
source" feel (I.E. you could modify the scans and attacks "under the hood=
"
so to speak - and in my experience next to accuracy=2C flexibility is one=
of
the most important assets a tool can have.) Hope that helps. Darren -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] =
On
Behalf Of Norma Snockers Sent: Thursday=2C October 15=2C 2009 2:25 AM To: pen-test () securityfocus com Subject: RE: Which Commercial Web App Scanner? Thanks for all the replies so far=2C all good info for digestion. I appre=
ciate
it's a developing field=2C subject to rapid change and no substitute for manual testing. I intend to use as a timesaving tool alongside manual testing to enhance/develop my experience/understanding. I wasn't aware of Hailstorm and found this review http://www.scmagazineus.com/Cenzic-Hailstorm/Review/1081/ - although it i=
s
early last year and may have changed. If the price is still current then although it might be the better product=2C this places it out of reach budget-wise compared to the opposition. Netsparker also looks intriguing http://www.mavitunasecurity.com/ - has anyone become a beta tester who can comment? I've seen the test comparison between my 3 original possibles here http://drop.io/anantasecfiles which seems to indicate that Acunetix (plus Acusensor) could be the best? AppScan found much more against its own te=
st
website than the others=2C and likewise WebInspect - to be expected perha=
ps.
Still investigating. ----------------------------------------From: norma.snockers () hotmail co uk To: pen-test () securityfocus com Subject: Which Commercial Web App Scanner? Date: Sat=2C 10 Oct 2009 07:31:56 +0000 Folks=2C I've read the threads=2C last one about 5 months ago... http://seclists.org/webappsec/2009/q2/68 and whilst very helpful=2C I'm still in a quandry. AppScan is expensive=2C so assuming that leaves WebInspect and Acunetixwhich one would you personally choose?I've done a very small amount of evaluation - I like the initial feel of Acunetix (and it includes GHDB checks - however is that really needed?)=2C but my head is saying WebInspect. I've seen people recommend both. If you were to make a final decision=2C which would you buy between Acun=
etix
and WebInspect (to be used in conjunction with open source tools) - based purely on the usability=2C functionality and efficiency of the product=2C=
not
the aftersales support?Many thanks. _________________________________________________________________ Use Hotmail to send and receive mail from your different email accounts. http://clk.atdmt.com/UKM/go/167688463/direct/01/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification ReviewBoardProve to peers and potential employers without a doubt that you canactually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org ------------------------------------------------------------------------_________________________________________________________________ Did you know you can get Messenger on your mobile? http://clk.atdmt.com/UKM/go/174426567/direct/01/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Boa=
rd
Prove to peers and potential employers without a doubt that you can actua=
lly
do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
=20 _________________________________________________________________ Access your other email accounts and manage all your email from one place. http://clk.atdmt.com/UKM/go/167688463/direct/01/= ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Which Commercial Web App Scanner?, (continued)
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 15)
- Message not available
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 19)
- Re: Which Commercial Web App Scanner? Ivan . (Oct 21)
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 15)
- Message not available
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)
- Re: Which Commercial Web App Scanner? Rodrigo Montoro(Sp0oKeR) (Oct 15)
- Re: Which Commercial Web App Scanner? Eric Milam (Oct 15)
- RE: Which Commercial Web App Scanner? Darren Webb (Oct 19)
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)
- Re: Which Commercial Web App Scanner? Luca Carettoni (Oct 19)
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)