Security Basics mailing list archives

Re: Web Application Scanners

From: Tom Stracener <strace () gmail com>
Date: 17 Jan 2005 20:38:23 -0000

In-Reply-To: <A494F4183EEB204185DE1490EEA03713AAE47B () vega traiana int>

Leon,

Yes, you should also look at Cenzic's Hailstorm (www.cenzic.com). While I was a consultant I worked with Hailstorm 
extensively. Its quite powerful and has in most cases a very low occurance of false positives. However, Hailstorm does 
presuppose a degree of expertise in the user, and as such, its not really a "shiny red button" technology that allows 
you to click a single button and get an all encompassing audit. It has a wealth of configuration options that an 
experienced user can use to fine tune the scanning process, and thereby reduce false positives and narrow the focus to 
specific types of application vulnerabilities. 

With regard to Paros, its pretty neat but not all of its features are well documented. I had a hard time creating my 
own plugins for it, so I set it aside for the time being.

Hope this helps.

-Tom

From: "Leon Rosenstein" <leonr () traiana com>
To: "security basics" <security-basics () securityfocus com>

Hi,

Currently looking over Webinspect & Sanctum.  What are some of peoples
thoughts / experiences on Webinspect vs AppScan?  Any other big players
in the space people can suggest? =20

Thanks,

Leon

Current thread:

Web Application Scanners Leon Rosenstein (Jan 12)
- <Possible follow-ups>
- Re: Web Application Scanners Bit Rider (Jan 14)
  - Re: Web Application Scanners kaps lock (Jan 17)
  - Vulnerabilty Assessment & Whisker Doubts kaps lock (Jan 17)
    - Re: Vulnerabilty Assessment & Whisker Doubts Hamid . K (Jan 19)
- Re: Web Application Scanners Tom Stracener (Jan 18)