RE: Which Commercial Web App Scanner?

[Norma Snockers <norma.snockers () hotmail co uk>]

 <000001ca4e12$b001b440$10051cc0$@net>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0


Hi Darren=2C
=20
I've done 542 last year with Raul. It's a good course - now extended I beli=
eve. It was a bit of a rush to cram all the aspects in so was needed.
=20
I've had Hailstorm come back to me by email so another to add to the list.
=20
Thanks.

----------------------------------------
> From: spyder007 () charter net
> To: norma.snockers () hotmail co uk=3B pen-test () securityfocus com
> Subject: RE: Which Commercial Web App Scanner?
> Date: Thu=2C 15 Oct 2009 22:42:29 -0500
>
> Hello Norma=2C
>
> If I might add my small contribution to this discussion=2C (And I am goin=
g on
> the premise that you haven't already done this) you might also want to ch=
eck
> out the SANS SEC 542 class that is done by Kevin Johnson. I have been doi=
ng
> testing for a while and this class was a great way to refine my methodolo=
gy
> and techniques. (Learn more about the "why" and "when" that is behind the
> "how".) You will also be exposed to a lot of really interesting open sour=
ce
> tools that can aid in your manual tests. (These tools also can help shape
> your ideas when it comes to a commercial tool)
>
> I would also recommend that you check with the Hailstorm guys to see if t=
hat
> price still is in effect. (I am a former Hailstorm user) I like Hailstorm
> because out of all the commercial tools I have used=2C it had the most "o=
pen
> source" feel (I.E. you could modify the scans and attacks "under the hood=
"
> so to speak - and in my experience next to accuracy=2C flexibility is one=
 of
> the most important assets a tool can have.)
>
> Hope that helps.
>
> Darren
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] =
On
> Behalf Of Norma Snockers
> Sent: Thursday=2C October 15=2C 2009 2:25 AM
> To: pen-test () securityfocus com
> Subject: RE: Which Commercial Web App Scanner?
>
>
> Thanks for all the replies so far=2C all good info for digestion. I appre=
ciate
> it's a developing field=2C subject to rapid change and no substitute for
> manual testing.
>
> I intend to use as a timesaving tool alongside manual testing to
> enhance/develop my experience/understanding.
>
> I wasn't aware of Hailstorm and found this review
> http://www.scmagazineus.com/Cenzic-Hailstorm/Review/1081/ - although it i=
s
> early last year and may have changed.  If the price is still current then
> although it might be the better product=2C this places it out of reach
> budget-wise compared to the opposition.
>
> Netsparker also looks intriguing http://www.mavitunasecurity.com/ - has
> anyone become a beta tester who can comment?
>
> I've seen the test comparison between my 3 original possibles here
> http://drop.io/anantasecfiles which seems to indicate that Acunetix (plus
> Acusensor) could be the best?  AppScan found much more against its own te=
st
> website than the others=2C and likewise WebInspect - to be expected perha=
ps.
> Still investigating.
>
>
>
>
>
>
> ----------------------------------------
> > From: norma.snockers () hotmail co uk
> > To: pen-test () securityfocus com
> > Subject: Which Commercial Web App Scanner?
> > Date: Sat=2C 10 Oct 2009 07:31:56 +0000
> >
> >
> > Folks=2C
> >
> > I've read the threads=2C last one about 5 months ago...
> >
> > http://seclists.org/webappsec/2009/q2/68
> >
> > and whilst very helpful=2C I'm still in a quandry.
> >
> > AppScan is expensive=2C so assuming that leaves WebInspect and Acunetix
> which one would you personally choose?
> > I've done a very small amount of evaluation - I like the initial feel of
> > Acunetix (and it includes GHDB checks - however is that really
> > needed?)=2C but my head is saying WebInspect. I've seen people recommend
> > both.
> >
> > If you were to make a final decision=2C which would you buy between Acun=
etix
> and WebInspect (to be used in conjunction with open source tools) - based
> purely on the usability=2C functionality and efficiency of the product=2C=
 not
> the aftersales support?
> > Many thanks.
> > _________________________________________________________________
> > Use Hotmail to send and receive mail from your different email accounts.
> > http://clk.atdmt.com/UKM/go/167688463/direct/01/
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review
> Board
> > Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
> _________________________________________________________________
> Did you know you can get Messenger on your mobile?
> http://clk.atdmt.com/UKM/go/174426567/direct/01/
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Boa=
rd
> Prove to peers and potential employers without a doubt that you can actua=
lly
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
                                         =20
_________________________________________________________________
Access your other email accounts and manage all your email from one place.
http://clk.atdmt.com/UKM/go/167688463/direct/01/=

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------