Interesting, as per report none of the test bed was on Java. My two cents.
Tests can improve a lot If 1) Scans are configured properly ( how to scan and parse links, specific fields to complete a workflow ) 2) type of Policy used ( one can even customize to get the best result ) 3) In general most of the known commercial web application scanners are more or less good ( I dont consider Qualys as a pureplay web App scanner, it lags a lot of features in a typical web app scanner ) Regards Plash |------------> | From: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |"Iyer, Anantharaman" <[email protected]> | >----------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |"[email protected]" <[email protected]> | >----------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |03/02/2010 02:14 PM | >----------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison | >----------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >----------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >----------------------------------------------------------------------------------------------------------------------------------------| I feel every scanner has its pros & cons, so the only way to determine the best for your needs are to test it against your applications before making a final call. I have been reading reports and reviews by many authors and no two reports point out a clear winner. I am attaching one more report published in Feb 2010 on web application scanners comparison. Gautam, this report will give some reason to re-consider WebInspect and consider NTOSpider ;-) Regards, Anantharaman Iyer From: [email protected] [ mailto:[email protected]] On Behalf Of John, Arun (HP Software-as-a-Service) Sent: Monday, March 01, 2010 9:05 PM To: Gautam Pagedar; Abir Banerjee Cc: [email protected] Subject: Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison So has HP/SpiDynamics with Assessment Management Platform. www.hp.com/go/securitysoftware for info on these tools. Regards John From: [email protected] [ mailto:[email protected]] On Behalf Of Gautam Pagedar Sent: Monday, March 01, 2010 9:29 AM To: Abir Banerjee Cc: [email protected] Subject: Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison It great to see the comparison. We are using AppScan for more than 5 years now and I somehow feel that it does not give me full control to do everything. Its of course a good tool for novice starting AppSec. We also use Cenzic and it give me some extra features and maybe also a way to compare every time I get into a engagement. FYI, AppScan has a Enterprise version and its a cool tool for a enterprise wise deployment and getting AppSec testing into SDLC. Abir, Thanks for this report. It gives me a good reason to try WebInspect :-) thanks, Gautam ----- Original Message ----- From: Abir Banerjee To: [email protected] Cc: [email protected] Sent: Saturday, February 27, 2010 7:24 AM Subject: Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison Hello Manik, Webinspect is much better than Appscan since appscan shows up a lot of false positives and the best web vulnerablity canner would be Acunetix WVS + Acusensor. Please the comparision file attached. Regards, Abeer Banerjee +91 9987099708 From: Manik Gupta <[email protected]> To: [email protected] Sent: Mon, 22 February, 2010 10:22:14 AM Subject: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison Hi, Kindly let me know which tool is better for penetration testing among IBM AppSCAN & HP Webinspect. Regards, Manik Join SQAtester.com Community ---> http://www.sqatester.com/testersarea/joinus.htm Your Mail works best with the New Yahoo Optimized IE8. Get it NOW!. _______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. [attachment "Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf" deleted by Plash Chowdhary/DEL/TCS] _______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi
