Re: Which Commercial Web App Scanner?

[Guy <patterson () nullamatix com>]

On Sat, Oct 10, 2009 at 3:31 AM, Norma Snockers
<norma.snockers () hotmail co uk> wrote:
> AppScan is expensive, so assuming that leaves WebInspect and Acunetix which one would you personally choose?
>
> I've done a very small amount of evaluation - I like the initial feel of
> Acunetix (and it includes GHDB checks - however is that really
> needed?), but my head is saying WebInspect.  I've seen people recommend
> both.
>
> If you were to make a final decision, which would you buy between Acunetix and WebInspect (to be used in conjunction 
> with open source tools) - based purely on the usability, functionality and efficiency of the product, not the 
> aftersales support?

Norma,

If you do end up settling on AppScan, definitely go for the "Standard"
or desktop edition. The "Enterprise" version isn't nearly as much fun
when it comes time to weed out the false positives. I'll often run a
scan with Enterprise and revert back to the Desktop version just for
coming up with a working proof of concept. Developers don't like to be
told their code is shit and will often say AppScan is "wrong", so I'm
always ready to illustrate. That glazed over look they give when a
dumped user table or other sensitive information is displayed in their
app is priceless. Just one of the many reasons I love my job :]

Guy P.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------