WebApp Sec mailing list archives
Re: Of the three expensive vulnerability scanners
From: Tom Stracener <strace () gmail com>
Date: 10 Oct 2004 19:45:05 -0000
In-Reply-To: <20041007153115.28058.qmail () www securityfocus com> Hi! I sought to answer this question for myself a while back, so hopefully you'll find my own experiences here useful. First, consider the types of applications and the application environment you will be securing. Depending upon the complexity of the web application you're dealing with, your likely to get quick diminishing returns from the tools you have mentioned. Strong manual testing capabilities are a must, in my opinion, and sadly a lot of commercial apps fall short there. When possible, you should contact the vendors and acquire a demo license in order to get a feel for how a tool actually performs. If that's not available, then you should sit down with the vendors and get a hands on session. SPI Dynamics is very demo friendly. You'll find their people polite, professional, and quick to respond once you download the product. So if you want to take a look at it, just contact Natalie Hinkle <nhinkle () spidynamics com> if you have any questions or run into problems downloading it. Also, if you go this route be sure to download the SPI Toolkit, which includes some manual pen testing utilities. With Sanctum, acquiring a demo was more difficult, I had to speak with the salesperson's manager and then wait a few days, only to be declined. Only after sending an email to their VP Internal Sales together with my resume did I manged to get a demo. You may have better results. Jane Foulkes <jfoulkes () sanctuminc com> is a sales person you can contact over there. Last I checked Scando did not have a demo available at all. I would also strongly encourage you to contact Cenzic and discuss having a look at their up and coming version of Hailstorm 2.0. Its by far the most extensible of the available commercial offerings. The tool provides a nice balance of automated verses manual app spidering, allows you to record and replay complicated HTTP sessions (which they call traversals) and then you can apply different types of security policies as Hailstorm iteratively steps through the web application. You can also create your own policies and have full control over the fault injectors which interrogate the app, as well as types of response conditions you're interested in detecting. This tool shows an incredible amount of promise, so it would probably be in your interest to evaluate it. You can contact Mandeep Khera over there <mandeep () cenzic com> if you're interested finding out more about it. Also, browse the recent archives of this list because your question has surfaced in various forms and you'll be able to find a variety of useful perspectives. --Tom
Current thread:
- Of the three expensive vulnerability scanners managingrisk (Oct 07)
- RE: Of the three expensive vulnerability scanners Joe Basirico (Oct 07)
- RE: Of the three expensive vulnerability scanners Don Tuer (Oct 09)
- Re: Of the three expensive vulnerability scanners Mark W. Webb (Nov 29)
- RE: Of the three expensive vulnerability scanners Tommy (Nov 30)
- Re: Of the three expensive vulnerability scanners Cesar (Oct 09)
- <Possible follow-ups>
- Re: Of the three expensive vulnerability scanners Tom Stracener (Oct 12)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 14)
- Re: Of the three expensive vulnerability scanners Daniel (Nov 15)
- Re: Of the three expensive vulnerability scanners Jeremiah Grossman (Nov 15)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 14)
- Re: Of the three expensive vulnerability scanners Tom Stracener (Nov 16)
- Re: Of the three expensive vulnerability scanners ban.marketing.bs (Nov 20)
- Re: Of the three expensive vulnerability scanners Adam Shostack (Nov 22)
- Re: Of the three expensive vulnerability scanners Jeff Williams (Nov 22)
- Re: Of the three expensive vulnerability scanners Adam Shostack (Nov 22)
- RE: Of the three expensive vulnerability scanners Michael Silk (Nov 22)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 25)
- Re: Of the three expensive vulnerability scanners ban.marketing.bs (Nov 22)
(Thread continues...)
- RE: Of the three expensive vulnerability scanners Joe Basirico (Oct 07)