Excellent points; To add more from my point of view, you may also
consider the software or product marketing / sales strategies that
show features like below in comparisons;
* The One versus The Best
* All-in-One versus Best-of-Breed
* Suite versus Best-of-Breed
* Best-of-Breed versus Integrated solutions
* End point solutions
* Ondemand solutions
We though need such above features but ultimate requirement for any
security professional is the discovery of total no of real
vulnerabilities without funny false reportings.
Naik/Gaurav/All, the point which I see most important is how many
findings are correct wrt to the number of findings shown in the
assessment. Else we will end up our time in testing something which
irrelevant than our objective to test application.
Your thoughts pls?
Regards
Sandeep Thakur
On Mon, Jun 13, 2011 at 6:17 PM, N41K <[email protected]> wrote:
> Gaurav,
>
> As you know, in Security we never believe/trust a single automated
> utilty.
>
> In these web application Scanners, the design is made to crawl to
> identify valid user inputs and then inject the payloads.
>
> Apart, few other standard requests are also sent to target application
> which will be pre-defined.
>
> W.r.t the above inputs the application scans for vulnerabilities.
>
> So, for us inorder to know which scanner is best - probably we can
> list it as below:
> 1. Vulnerabilities Covered
> 2. Vulnerability variants (Encoding)
> 3. Scanning performance
> 4. Target Application Supported (Java,ASP, PHP, etc...)
> 5. Features Supported (like Hijacking, Poisoning, Privilage
> Escalations, etc..)
> 6. Good Output Parser
>
> Hopefully, above things are not limited to. But, its my view...
>
> It would be really great if everyone can edit/add above points.
>
> Cheers,
> 0xN41K
>
>
> On Jun 13, 2:13 pm, Gaurav Shah <[email protected]> wrote:
>> Thanks Srinivas for the links. Although i had seen the comparison from
>> Anurag Agarwal the others were informative.
>> However i did notice that the comparison from Darknet contradicts the
>> comparison from semiaccurate.
>> Darknet claims that (between appscan and webinspect) webinspect is better
>> and semiaccurate claims otherwise.
>>
>> How do we come to a conclusion?
>>
>>
>>
>>
>>
>> On Mon, Jun 13, 2011 at 1:06 PM, Srinivas Naik <[email protected]> wrote:
>> > Gaurav,
>>
>> > Hope the below reference will guide you...
>>
>> > Top AppScanners Scanned and Comparitative Report:
>> >http://www.darknet.org.uk/content/files/WebVulnScanners.pdf
>>
>> > old but informative:
>> >http://myappsecurity.blogspot.com/2006/11/comparison-between-appscan-...
>>
>> > Further :
>> >http://semiaccurate.com/2010/02/05/web-security-scanners-evaluated-pa...
>>
>> >http://semiaccurate.com/static/uploads/2010/02_february/Accuracy_and_...
>>
>> > Cheers,
>> > 0xN41K
>>
>> > On Mon, Jun 13, 2011 at 10:29 AM, Gaurav Shah <[email protected]> wrote:
>>
>> >> Hi All,
>>
>> >> I was trying to find more information about these 2 scanner - IBM Rational
>> >> Appscan & HP WebInspect.
>> >> If you compare these 2, which of them is a better web application
>> >> vulnerability scanner & why?
>>
>> >> Please assist.
>>
>> >> --
>> >> Thanks & Regards
>> >> Gaurav Shah.
>> >> 91-9552504002.
>>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups
>> >> "nforceit" group.
>> >> To post to this group, send an email to [email protected].
>> >> To unsubscribe from this group, send email to
>> >> [email protected].
>> >> For more options, visit this group at
>> >>http://groups.google.com/group/nforceit?hl=en-GB.
>>
>> > --
>> > You received this message because you are subscribed to the Google Groups
>> > "nforceit" group.
>> > To post to this group, send an email to [email protected].
>> > To unsubscribe from this group, send email to
>> > [email protected].
>> > For more options, visit this group at
>> >http://groups.google.com/group/nforceit?hl=en-GB.
>>
>> --
>> Thanks & Regards
>> Gaurav Shah.
>> 91-9552504002.- Hide quoted text -
>>
>> - Show quoted text -
>
> --
> You received this message because you are subscribed to the Google Groups
> "nforceit" group.
> To post to this group, send an email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/nforceit?hl=en-GB.
>
>
--
You received this message because you are subscribed to the Google Groups
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/nforceit?hl=en-GB.
