[Owasp-boston] Larry Suto with an updated Application Security Scanner Report

Chris Eng ceng at Veracode.com
Thu Feb 4 14:24:15 EST 2010

Re #3, it’s not quite that simple. You have to factor in the salary of a skilled penetration tester versus a tool operator.  That’s a pretty significant cost differential.

From: owasp-boston-bounces at lists.owasp.org [mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of Javed Ikbal
Sent: Thursday, February 04, 2010 1:10 PM
To: owasp-boston at lists.owasp.org
Subject: Re: [Owasp-boston] Larry Suto with an updated Application Security Scanner Report

1. Fully agree that these scanners can not find all the issues on their own test websites. When questioned, one vendor spun it thus: "This means we are not rigging the test"

2. I did not see the point of the debate in 2007 because 90% of users have no clue what to do with these scanners and just point and shoot them. Most training they get is 1 hour with the SE so I am perfectly willing to accept that as the methodology.

3. While purists may not like this, I would have liked to see a price/performance comparison included. Yes, Burp Suite does not support JavaScript and has other problems; but for $200, I contend that for a small company and a skilled user it offers great value


On 2/4/2010 8:52 AM, Laverty, Patrick wrote:
Has anyone had a chance to read it yet?  Or have opinions on it?  I know last time he released his report (2007), it was widely criticized.

If you haven’t seen it, it is here:

if you’re worried about a link to a pdf in an email like this, you can see it on this page:

As I am currently in the market for a scanning tool, I’m looking for any and all information from all sources on this sort of thing.




Owasp-boston mailing list

Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20100204/7562f805/attachment.html 

More information about the Owasp-boston mailing list