Re: Best Commercial Security Testing tools

["security () stealthnodes com" <security () stealthnodes com>]

Rapid7, Core-impact, saints corp, GFI, WebInspect, AppScan, Alert Logic 
(service), Nessus, mavitunasecurity (netsparker)
All are great tools and each has its strength and weaknesses so you need 
to test and find out which works best for your needs

-Payam

On 12-02-02 08:48 AM, Vic Vandal wrote:
> WebInspect is a good recommendation (from Manuel).  It goes head-to-head with AppScan.  I've used both and did a heavy 
> bake-off where WebInspect came out on top (by a small margin).  But since Caleb Sima and the tool/company got bought out its 
> had some decent improvements but also took some steps backward, in my professional opinion.  I can cite details individually 
> if needed, but basically it now misses some issues it used to catch.  AppScan misses some stuff too.  But WebInspect and 
> AppScan are still very solid tools.
>
> I try not to bash any tool publicly, but in line with that "stay away from Rapid-7" opinion I'll say that when I put eEye Retina 
> through its paces in that mentioned bake-off it performed terribly.  I'm guessing it got better the past couple of years, but I don't 
> have any recent personal testing or usage to verify it one way or the other.
>
> And in all fairness Rapid-7 has actually gotten much better the past couple of years than it was.  Its new hooks into MetaSploit 
> are also a desirable feature for some users.  But it has advantages and disadvantages to similar tools like Lumension STAT 
> Scanner and GFI LANguard.  Rapid-7 also recently add some Oracle scan capabilities that STAT and GFI can't match (yet).  
> I've used all 3 of those a bit extensively.
>
> What I like about Lumension STAT is the ability to easily code up custom vulnerability and attestation checks (which I use 
> extensively), and to do my own ad-hoc reporting against its back-end DB (which I also do extensively).  I've not been 
> able to duplicate those functions with Rapid-7.
>
> I have some close friends who work for GFI, so I'd rather not give any professional or personal input on that tool.  It 
> may come across like the guy who posted a Rapid-7 link and suggestion from a rapid7.com email address (eye roll).
> But each tool has pros and cons, and buyers should lay out their technical and functional requirements prior to evaluating 
> tools and choosing one or more.  That's the bottom line and is my professional advice to the person that started this 
> thread.  The product(s) that meet the needs of myself, my employer, and the environment in which I need to assess risk 
> (and/or break into) may or may not be the best choice for your environment.
>
> Peace,
> Vic
>
> P.S. I find the repeated appending of that Apache SSL Thawte cert spam to each security-basics inquiry and response to be 
> really annoying.  I'm just saying.  I removed 3 copies of that message from this thread before hitting Send on my 
> response.
>
>
> ----- Original Message -----
> From: "Manuel Landron"<mlandron () uspsoig gov>
> To: "Belkacem Abdessemed"<Belkacem_Abdessemed () rapid7 com>
> Cc: "Voulnet"<voulnet () gmail com>, security-basics () securityfocus com
> Sent: Wednesday, February 1, 2012 1:16:29 PM
> Subject: Re: Best Commercial Security Testing tools
>
> We use Nessus, GFi LANguard, Appdetective, and WebInspect. Stay away from Rapid 7.
>
> Sent from my iPhone
>
> On Feb 1, 2012, at 10:12 AM, "Belkacem Abdessemed"<Belkacem_Abdessemed () rapid7 com>  wrote:
>
> > www.rapid7.com
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Voulnet
> > Sent: Wednesday, February 01, 2012 3:27 AM
> > To: security-basics () securityfocus com
> > Subject: Best Commercial Security Testing tools
> >
> > Hello, I'm trying to compile a list and get quotations for the best commercial security pentesting tools, things like 
> > Metasploit Pro, Core Impact, Acunetix.. etc
> >
> > Please, give me your recommendations!
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
> it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------