RE: Which Commercial Web App Scanner?

[Norma Snockers <norma.snockers () hotmail co uk>]

 <88e844b40910140651g3a8662ei3349e2b4f10df836 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0



It would be the Standard version - but are WebInspect and Acunetix able to =
do the same?

The test blog I saw (and linked to in an earlier mail) said that AppScan wa=
s the worst in almost all cases=2C Acunetix (with AcuSensor) the better of =
the 3 for finding problems and all round capability.

Anyone any comments about how good AcuSensor is?

Kind Regards=2C

NS

----------------------------------------
> Date: Wed=2C 14 Oct 2009 09:51:15 -0400
> Subject: Re: Which Commercial Web App Scanner?
> From: patterson () nullamatix com
> To: norma.snockers () hotmail co uk=3B pen-test () securityfocus com
>
> On Sat=2C Oct 10=2C 2009 at 3:31 AM=2C Norma Snockers
>  wrote:
> > AppScan is expensive=2C so assuming that leaves WebInspect and Acunetix =
which one would you personally choose?
> > I've done a very small amount of evaluation - I like the initial feel of
> > Acunetix (and it includes GHDB checks - however is that really
> > needed?)=2C but my head is saying WebInspect.  I've seen people recommen=
d
> > both.
> >
> > If you were to make a final decision=2C which would you buy between Acun=
etix and WebInspect (to be used in conjunction with open source tools) - ba=
sed purely on the usability=2C functionality and efficiency of the product=
=2C not the aftersales support?
> >
>
> Norma=2C
>
> If you do end up settling on AppScan=2C definitely go for the "Standard"
> or desktop edition. The "Enterprise" version isn't nearly as much fun
> when it comes time to weed out the false positives. I'll often run a
> scan with Enterprise and revert back to the Desktop version just for
> coming up with a working proof of concept. Developers don't like to be
> told their code is shit and will often say AppScan is "wrong"=2C so I'm
> always ready to illustrate. That glazed over look they give when a
> dumped user table or other sensitive information is displayed in their
> app is priceless. Just one of the many reasons I love my job :]
>
> Guy P.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Boa=
rd
> Prove to peers and potential employers without a doubt that you can actua=
lly do a proper penetration test. IACRB CPT and CEPT certs require a full p=
ractical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------
                                         =20
_________________________________________________________________
Did you know you can get Messenger on your mobile?
http://clk.atdmt.com/UKM/go/174426567/direct/01/=

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------