RES: Which Commercial Web App Scanner?

["Rodrigo Matuck" <rodrigo.matuck () future com br>]

Hi Norma

I already used 3 differents of Web App Scanners in my company. Acunetix, AppScan and N-Stalker. Acunetix and N-Stalker 
is more cheap, however we got a lot of false-positivies with Acunetix. N-Stalker do the job, but not so well like 
AppScan. About the HP WebInspect i recently did a training of SecureSphere - Imperva and the instructor recommended 
that tool, but i never used.

In my opinion take the HP WebInspect.

Regards,

Rodrigo Matuck Roque
Security Analyst - Penetration Tester

-----Mensagem original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em nome de Norma Snockers
Enviada em: sábado, 10 de outubro de 2009 04:32
Para: pen-test () securityfocus com
Assunto: Which Commercial Web App Scanner?


Folks,

I've read the threads, last one about 5 months ago...

http://seclists.org/webappsec/2009/q2/68

and whilst very helpful, I'm still in a quandry.

AppScan is expensive, so assuming that leaves WebInspect and Acunetix which one would you personally choose?

I've done a very small amount of evaluation - I like the initial feel of
Acunetix (and it includes GHDB checks - however is that really
needed?), but my head is saying WebInspect.  I've seen people recommend
both.

If you were to make a final decision, which would you buy between Acunetix and WebInspect (to be used in conjunction 
with open source tools) - based purely on the usability, functionality and efficiency of the product, not the 
aftersales support?

Many thanks.                                      
_________________________________________________________________
Use Hotmail to send and receive mail from your different email accounts.
http://clk.atdmt.com/UKM/go/167688463/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

--

Esta mensagem (incluindo qualquer anexo) é confidencial e legalmente protegida, somente podendo ser usada pelo 
individuo ou entidade a quem foi endereçada. Caso você a tenha recebido por engano, deverá devolver ao remetente e, 
posteriormente apagar, pois a disseminação, encaminhamento, uso, impressão ou cópia do conteúdo desta mensagem são 
expressamente proibidos.

This message (including any attachments) contains confidential information intended for a specific individual and 
purpose, and is protected by law. If you are not the intended recipient, you should return and then delete this 
message. Any disclosure, copying, printing, use or distribution of this message, or the taking of any part is ilegal.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------