Security Basics mailing list archives
Re: Best Commercial Security Testing tools
From: "security () stealthnodes com" <security () stealthnodes com>
Date: Sat, 04 Feb 2012 08:46:27 -0800
Rapid7, Core-impact, saints corp, GFI, WebInspect, AppScan, Alert Logic (service), Nessus, mavitunasecurity (netsparker) All are great tools and each has its strength and weaknesses so you need to test and find out which works best for your needs
-Payam On 12-02-02 08:48 AM, Vic Vandal wrote:
WebInspect is a good recommendation (from Manuel). It goes head-to-head with AppScan. I've used both and did a heavy bake-off where WebInspect came out on top (by a small margin). But since Caleb Sima and the tool/company got bought out its had some decent improvements but also took some steps backward, in my professional opinion. I can cite details individually if needed, but basically it now misses some issues it used to catch. AppScan misses some stuff too. But WebInspect and AppScan are still very solid tools. I try not to bash any tool publicly, but in line with that "stay away from Rapid-7" opinion I'll say that when I put eEye Retina through its paces in that mentioned bake-off it performed terribly. I'm guessing it got better the past couple of years, but I don't have any recent personal testing or usage to verify it one way or the other. And in all fairness Rapid-7 has actually gotten much better the past couple of years than it was. Its new hooks into MetaSploit are also a desirable feature for some users. But it has advantages and disadvantages to similar tools like Lumension STAT Scanner and GFI LANguard. Rapid-7 also recently add some Oracle scan capabilities that STAT and GFI can't match (yet). I've used all 3 of those a bit extensively. What I like about Lumension STAT is the ability to easily code up custom vulnerability and attestation checks (which I use extensively), and to do my own ad-hoc reporting against its back-end DB (which I also do extensively). I've not been able to duplicate those functions with Rapid-7. I have some close friends who work for GFI, so I'd rather not give any professional or personal input on that tool. It may come across like the guy who posted a Rapid-7 link and suggestion from a rapid7.com email address (eye roll). But each tool has pros and cons, and buyers should lay out their technical and functional requirements prior to evaluating tools and choosing one or more. That's the bottom line and is my professional advice to the person that started this thread. The product(s) that meet the needs of myself, my employer, and the environment in which I need to assess risk (and/or break into) may or may not be the best choice for your environment. Peace, Vic P.S. I find the repeated appending of that Apache SSL Thawte cert spam to each security-basics inquiry and response to be really annoying. I'm just saying. I removed 3 copies of that message from this thread before hitting Send on my response. ----- Original Message ----- From: "Manuel Landron"<mlandron () uspsoig gov> To: "Belkacem Abdessemed"<Belkacem_Abdessemed () rapid7 com> Cc: "Voulnet"<voulnet () gmail com>, security-basics () securityfocus com Sent: Wednesday, February 1, 2012 1:16:29 PM Subject: Re: Best Commercial Security Testing tools We use Nessus, GFi LANguard, Appdetective, and WebInspect. Stay away from Rapid 7. Sent from my iPhone On Feb 1, 2012, at 10:12 AM, "Belkacem Abdessemed"<Belkacem_Abdessemed () rapid7 com> wrote:www.rapid7.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Voulnet Sent: Wednesday, February 01, 2012 3:27 AM To: security-basics () securityfocus com Subject: Best Commercial Security Testing tools Hello, I'm trying to compile a list and get quotations for the best commercial security pentesting tools, things like Metasploit Pro, Core Impact, Acunetix.. etc Please, give me your recommendations!------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Best Commercial Security Testing tools Voulnet (Feb 01)
- RE: Best Commercial Security Testing tools Belkacem Abdessemed (Feb 01)
- Re: Best Commercial Security Testing tools Landron, Manuel (Feb 01)
- Re: Best Commercial Security Testing tools Kalka, Jean F DOD CIV (US) (Feb 01)
- Re: Best Commercial Security Testing tools Vic Vandal (Feb 02)
- Re: Best Commercial Security Testing tools security () stealthnodes com (Feb 05)
- Re: Best Commercial Security Testing tools Landron, Manuel (Feb 01)
- RE: Best Commercial Security Testing tools Rui Pereira (WCG) (Feb 01)
- RE: Best Commercial Security Testing tools Belkacem Abdessemed (Feb 01)
- <Possible follow-ups>
- Best Commercial Security Testing tools noreply (Feb 01)