Re: Best Commercial Vulnerability Scanner

["Andre Gironda" <andreg () gmail com>]

On Thu, Aug 14, 2008 at 10:45 AM, Danux <danuxx () gmail com> wrote:
> We are doing vulnerability testing using SPI Dynamics with Mercury
> Quality Center to defect management but this tool is too expensive
> (SPI) and also when using with MQC it is too slow.

You could always test using a free, active testing tool such as Burp,
Paros, DirBuster, DFF Scanner, JBroFuzz, sn00per, w3af, and
Grendel-Scan, especially good combined with passive tools such as
Pantera, Proxmon, and ratproxy.  Syhunt and N-Stealth have free
versions of their scanners.  Acunetix, SPI, Cenzic, NTObjectives, and
Watchfire demo versions can be modified:
http://blog.clearnetsec.com/articles/2008/03/24/test-commercial-web-app-scanners-for-free-and-without-restrictions

> do you know if [personal experience or other source] where i
> can have a comparison between those kind of products?
> I mean like SPI Dynamics, WatchFire, Acunetix, Cenzic, so on.

Out of those, I would not include Acunetic or Cenzic, as their
products are very limited.
Also see http://extra.fortifysoftware.com/blog/2008/08/space_race.html

> We are looking cheaper costs, better performance and good
> vulnerability defect management.

You may want to consider a security code review tool if you already
have access to the source code, which it sounds like you do.  There
are also at least three hybrid analysis tools on the market: SPI
Dynamics DevInspect/SecureObjects, Watchfire AppScan DE, and Fortify
PTA.

Cheers,
Andre