Re: Web application security scanners

[Steve Brukbacher <sab2 () UWM EDU>]

Our auditors purchased Nexpose by Rapid 7 as a sort of all in one
vulnerability scanner.

http://www.rapid7.com/

Why did we buy it?  Well it does a little bit of everything.  HIPAA,
PCI, web apps, pen testing.  Does it do each as well as some specialized
products?  Maybe not but it's working well for us.

Its really easy to use too and does very nice reporting.
I have it set up to do regularly scheduled scans and it then emails
those to the server admins.

It also gives you the CVE for specific vulnerabilities and explains
general how-to's for fixing common vulnerabilities.

I could get you more info from our auditor if you are interested.

--
Steve Brukbacher, CISSP
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



Brad Judy wrote:
> We're starting to look into web application security scanning tools and
> I wanted to ping the group and see what people found when looking into
> this for themselves and what motivated their selection.
>
> After some initial digging, it looks like most people lean towards
> Spidynamics' WebInspect or Watchfire's AppScan.  I plan on looking into
> both of those.
>
> Obviously, none of these products are the end-all-be-all of web app
> security, but they do address the basic need of common web app coding
> errors for an initial level of validation of both in-house developed
> apps as well as pre-purchase testing of commercial apps.
>
> So, what did you learn when looking into this space, what did you select
> and why?
>
> Thanks,
>
> Brad Judy
>
> IT Security Office
> Information Technology Services
> University of Colorado at Boulder