Re: Which Commercial Web App Scanner?

[Dotzero <dotzero () gmail com>]

On Sat, Oct 10, 2009 at 3:31 AM, Norma Snockers
<norma.snockers () hotmail co uk> wrote:
> Folks,
>
> I've read the threads, last one about 5 months ago...
>
> http://seclists.org/webappsec/2009/q2/68
>
> and whilst very helpful, I'm still in a quandry.
>
> AppScan is expensive, so assuming that leaves WebInspect and Acunetix which one would you personally choose?
>
> I've done a very small amount of evaluation - I like the initial feel of
> Acunetix (and it includes GHDB checks - however is that really
> needed?), but my head is saying WebInspect.  I've seen people recommend
> both.
>
> If you were to make a final decision, which would you buy between Acunetix and WebInspect (to be used in conjunction 
> with open source tools) - based purely on the usability, functionality and efficiency of the product, not the 
> aftersales support?
>
> Many thanks.

I've used WebInspect since before HP acquired SpiDynamics. WebInspect
is a decent product from a use perspective but I have been severely
disappointed with the degradation of customer service since HP
acquired them. Our last renewal with them was a disaster. All we
wanted from them was an invoice with a PO number on it. Our license
lapsed for two months (no updates) while HP sorted it out. I asked
them for a make good of a two month extension which is a not
unreasonable request under the circumstances.
Despite promises from people at various levels that we would be taken
care of, nothing was done. They did give me a free t-shirt at RSA as
the product manager was promising that this would be taken care of.

Despite my liking the product and having used it for a while, we are
planning on switching to Cenzic/Hailstorm when our support
subscription expires this year.

I can't speak to Acunetix.

Folks on the client side should never forget that it is not just the
product but how the technical support and customer service can impact
you and your operations. Vendors should remember that treating a
customer poorly may result in their going to another vendor and
possibly speaking out publicly about why they walked.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------