[Owasp-boston] Larry Suto with an updated Application Security Scanner Report

Javed Ikbal javed at zsquad.com
Thu Feb 4 13:09:52 EST 2010


Observations:
1. Fully agree that these scanners can not find all the issues on their
own test websites. When questioned, one vendor spun it thus: "This means
we are not rigging the test"

2. I did not see the point of the debate in 2007 because 90% of users
have no clue what to do with these scanners and just point and shoot
them. Most training they get is 1 hour with the SE so I am perfectly
willing to accept that as the methodology.

3. While purists may not like this, I would have liked to see a
price/performance comparison included. Yes, Burp Suite does not support
JavaScript and has other problems; but for $200, I contend that for a
small company and a skilled user it offers great value

Javed



On 2/4/2010 8:52 AM, Laverty, Patrick wrote:
>
> Has anyone had a chance to read it yet?  Or have opinions on it?  I
> know last time he released his report (2007), it was widely criticized. 
>
>  
>
> If you haven’t seen it, it is here:
>
> http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf
>
>  
>
> if you’re worried about a link to a pdf in an email like this, you can
> see it on this page:
>
> http://ha.ckers.org/blog/20100203/accuracy-and-time-costs-of-web-application-security-scanner-report/
>
>  
>
> As I am currently in the market for a scanning tool, I’m looking for
> any and all information from all sources on this sort of thing.
>
>  
>
> Thanks!
>
>  
>
> Patrick
>
>  
>
>
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-boston
>   

-- 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20100204/906a6a01/attachment.html 


More information about the Owasp-boston mailing list