Re: Which Commercial Web App Scanner?

[Todd Haverkos <infosec () haverkos com>]

Norma Snockers <norma.snockers () hotmail co uk> writes:

> Folks,
>
> I've read the threads, last one about 5 months ago...
>
> http://seclists.org/webappsec/2009/q2/68
>
> and whilst very helpful, I'm still in a quandry.
>
> AppScan is expensive, so assuming that leaves WebInspect and
> Acunetix which one would you personally choose?

FYI, AppScan Standard and SPI Webinspect are priced similarly last
time I checked, so I wouldn't be so quick to rule AppScan out.  You
can download a trial of AppScan btw.  I wouldnt' buy any tool without
test driving it against a representative site with which I was
familiar. 

I've used both, and like any automated app scanner, both with flag
things that turn out to be false positives, and neither are a
substitute for manual testing and review of business logic, and the
like, but they are both excellent at automating a wide range of
fuzzing and link discovery tests.  My (admittedly biased) opinion
tilts towards Appscan.

I've not used Acunetix, but I've listened to more than a few podcasts
where Ryan Jones and Chris Nickerson (of Tiger Team and Exotic
Liability fame) are very frank in their thoughts about it.  It'd give
me pause then to think of Acunetix in the same league as AppScan and
SPI.

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------