[Owasp-boston] Web application security scanner recommendation

Weiler, Jim Jim.Weiler at starwoodhotels.com
Fri Oct 17 22:00:26 UTC 2014


We’ve given up using a server based web app scanner (we had AppScan) and now use the Qualys service. I found that of the 42 options in AppScan that could affect the scan, most we never used, and some were poorly documented and I could not easily get the info, in a useful format, on what URLs were actually scanned. We wanted that to verify that we were scanning what we wanted.

I think you need to scan from the internet, not thru your company VPN or from inside your network out to the internet and back, to most accurately mimic an attacker. With the Qualys service you have no operational issues like server provisioning and maintenance, upgrades etc. we have also installed Qualys scan engine VMs on internal servers to scan QA, staging etc. and they are managed the same as the service.

Jim

Jim Weiler       CISSP   CSSLP   GSSP - Java
Application Security Architect
Information Security Team
Starwood Hotels      1505 Washington St.   Braintree MA. 02184
mobile - 781 654 6048
[CyberSmaller2]

From: owasp-boston-bounces at lists.owasp.org [mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of Roy Wattanasin
Sent: Thursday, October 09, 2014 12:59 PM
To: Bernie Mamorbor
Cc: Owasp-boston at lists.owasp.org
Subject: Re: [Owasp-boston] Web application security scanner recommendation

Hi All:
Dependant on what you're looking for, I've had previous positive experiences with IBM AppScan, HP Fortify (previously called WebInspect) and Veracode. There's more today though to test as well.

Roy

On Thu, Oct 9, 2014 at 11:13 AM, Bernie Mamorbor <Bernie.Mamorbor at sas.com<mailto:Bernie.Mamorbor at sas.com>> wrote:
I have executed AppScan Enterprise against our solutions with good results.

Dennis, we would all like to hear your results.

Thanks,
Bernie

From: owasp-boston-bounces at lists.owasp.org<mailto:owasp-boston-bounces at lists.owasp.org> [mailto:owasp-boston-bounces at lists.owasp.org<mailto:owasp-boston-bounces at lists.owasp.org>] On Behalf Of George Ehrhorn
Sent: Thursday, October 09, 2014 8:18 AM
To: d.antunes at comcast.net<mailto:d.antunes at comcast.net>; mario.desousa at coderedinc.com<mailto:mario.desousa at coderedinc.com>

Cc: Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>
Subject: Re: [Owasp-boston] Web application security scanner recommendation

We have had very good results with IBM App Scan. At a previous company we had very good results with HP WebInspect.

Dennis, I think the list would benefit from hearing your results.


From: owasp-boston-bounces at lists.owasp.org<mailto:owasp-boston-bounces at lists.owasp.org> [mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of d.antunes at comcast.net<mailto:d.antunes at comcast.net>
Sent: Wednesday, October 08, 2014 20:54
To: mario.desousa at coderedinc.com<mailto:mario.desousa at coderedinc.com>
Cc: Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>
Subject: Re: [Owasp-boston] Web application security scanner recommendation

I just did a substantial bakeoff. It really depends on your requirements though.

See Shay Chen's http://sectooladdict.blogspot.com for extensive analysis and try to align your needs.

Email me off list if you'd like to hear my results.

Dennis


Sent from XFINITY Connect Mobile App
-----Original Message-----

From: mario.desousa at coderedinc.com<mailto:mario.desousa at coderedinc.com>
To: jikbal at gmail.com<mailto:jikbal at gmail.com>
Cc: Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>
Sent: 2014-10-08 18:26:43 GMT
Subject: Re: [Owasp-boston] Web application security scanner recommendation

I had a good experience with WhiteHat last year. It's a SaaS product... Easy to setup and thorough. They have a service that also includes human review of the application to find security issues that are in the business logic.

Sent from my iPhone

> On Oct 8, 2014, at 5:26 PM, "Javed Ikbal" wrote:
>
> I am in the market for a web application scanner.
>
> I have experience with appscan, webinspect and acinetix, although with
> older versions.
>
> I am not looking for a service like Qualys or Whitehat at this time.
>
> Any comments about these and anything else out there?
>
> If you recommend a product, please share why you like it.
>
> [ I am happy to receive comments from salespeople pushing their own
> product, but in that case please email me directly instead of the list
> ]
>
> Thanks in advance.
>
> Javed
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-boston
_______________________________________________
Owasp-boston mailing list
Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-boston

_______________________________________________
Owasp-boston mailing list
Owasp-boston at lists.owasp.org<mailto:Owasp-boston at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-boston

This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-boston/attachments/20141017/b543d0ab/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 8819 bytes
Desc: image001.jpg
URL: <http://lists.owasp.org/pipermail/owasp-boston/attachments/20141017/b543d0ab/attachment-0001.jpg>


More information about the Owasp-boston mailing list