[Owasp-boston] Web application security scanner recommendation

Kerry LeBlanc kerry_leblanc at verizon.net
Fri Oct 17 23:03:17 UTC 2014


Hey you might want to check these guys out: http://www.codenomicon.com/ 
I met their reps at the Triangle Infosecon here in Raleigh yesterday and 
they really have a great looking product. I myself never used it, but 
considering the sessions they ran and what I have seen on their site, 
they seem like a strong contender. The guys at the infosecon really new 
what they were talking about. Might not be quite what you are looking 
for, but maybe worth a look.

Kerry LeBlanc, CISSP, GISP, C|EH
Information Security Consultant
Priveon, Inc.
Cell:919-610-7080  <tel:919-610-7080>
kleblanc at priveon.com  <mailto:kleblanc at priveon.com>
www.priveon.com  <http://www.priveon.com/>


On 10/17/2014 6:00 PM, Weiler, Jim wrote:
>
> We've given up using a server based web app scanner (we had AppScan) 
> and now use the Qualys service. I found that of the 42 options in 
> AppScan that could affect the scan, most we never used, and some were 
> poorly documented and I could not easily get the info, in a useful 
> format, on what URLs were actually scanned. We wanted that to verify 
> that we were scanning what we wanted.
>
> I think you need to scan from the internet, not thru your company VPN 
> or from inside your network out to the internet and back, to most 
> accurately mimic an attacker. With the Qualys service you have no 
> operational issues like server provisioning and maintenance, upgrades 
> etc. we have also installed Qualys scan engine VMs on internal servers 
> to scan QA, staging etc. and they are managed the same as the service.
>
> Jim
>
> Jim Weiler       CISSP   CSSLP   GSSP - Java
>
> Application Security Architect
>
> Information Security Team
>
> Starwood Hotels      1505 Washington St.   Braintree MA. 02184
>
> mobile - 781 654 6048
>
> CyberSmaller2
>
> *From:*owasp-boston-bounces at lists.owasp.org 
> [mailto:owasp-boston-bounces at lists.owasp.org] *On Behalf Of *Roy 
> Wattanasin
> *Sent:* Thursday, October 09, 2014 12:59 PM
> *To:* Bernie Mamorbor
> *Cc:* Owasp-boston at lists.owasp.org
> *Subject:* Re: [Owasp-boston] Web application security scanner 
> recommendation
>
> Hi All:
>
> Dependant on what you're looking for, I've had previous positive 
> experiences with IBM AppScan, HP Fortify (previously called 
> WebInspect) and Veracode. There's more today though to test as well.
>
> Roy
>
> On Thu, Oct 9, 2014 at 11:13 AM, Bernie Mamorbor 
> <Bernie.Mamorbor at sas.com <mailto:Bernie.Mamorbor at sas.com>> wrote:
>
> I have executed AppScan Enterprise against our solutions with good 
> results.
>
> Dennis, we would all like to hear your results.
>
> Thanks,
>
> Bernie
>
> *From:*owasp-boston-bounces at lists.owasp.org 
> <mailto:owasp-boston-bounces at lists.owasp.org> 
> [mailto:owasp-boston-bounces at lists.owasp.org 
> <mailto:owasp-boston-bounces at lists.owasp.org>] *On Behalf Of *George 
> Ehrhorn
> *Sent:* Thursday, October 09, 2014 8:18 AM
> *To:* d.antunes at comcast.net <mailto:d.antunes at comcast.net>; 
> mario.desousa at coderedinc.com <mailto:mario.desousa at coderedinc.com>
>
>
> *Cc:* Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
> *Subject:* Re: [Owasp-boston] Web application security scanner 
> recommendation
>
> We have had very good results with IBM App Scan. At a previous company 
> we had very good results with HP WebInspect.
>
>
> Dennis, I think the list would benefit from hearing your results.
>
> *From:*owasp-boston-bounces at lists.owasp.org 
> <mailto:owasp-boston-bounces at lists.owasp.org> 
> [mailto:owasp-boston-bounces at lists.owasp.org] *On Behalf Of 
> *d.antunes at comcast.net <mailto:d.antunes at comcast.net>
> *Sent:* Wednesday, October 08, 2014 20:54
> *To:* mario.desousa at coderedinc.com <mailto:mario.desousa at coderedinc.com>
> *Cc:* Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
> *Subject:* Re: [Owasp-boston] Web application security scanner 
> recommendation
>
> I just did a substantial bakeoff. It really depends on your 
> requirements though.
>
> See Shay Chen's http://sectooladdict.blogspot.com for extensive 
> analysis and try to align your needs.
>
> Email me off list if you'd like to hear my results.
>
> Dennis
>
>
> Sent from XFINITY Connect Mobile App
> -----Original Message-----
>
> From: mario.desousa at coderedinc.com <mailto:mario.desousa at coderedinc.com>
> To: jikbal at gmail.com <mailto:jikbal at gmail.com>
> Cc: Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
> Sent: 2014-10-08 18:26:43 GMT
> Subject: Re: [Owasp-boston] Web application security scanner 
> recommendation
>
> I had a good experience with WhiteHat last year. It's a SaaS 
> product... Easy to setup and thorough. They have a service that also 
> includes human review of the application to find security issues that 
> are in the business logic.
>
> Sent from my iPhone
>
> > On Oct 8, 2014, at 5:26 PM, "Javed Ikbal" wrote:
> >
> > I am in the market for a web application scanner.
> >
> > I have experience with appscan, webinspect and acinetix, although with
> > older versions.
> >
> > I am not looking for a service like Qualys or Whitehat at this time.
> >
> > Any comments about these and anything else out there?
> >
> > If you recommend a product, please share why you like it.
> >
> > [ I am happy to receive comments from salespeople pushing their own
> > product, but in that case please email me directly instead of the list
> > ]
> >
> > Thanks in advance.
> >
> > Javed
> > _______________________________________________
> > Owasp-boston mailing list
> > Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-boston
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-boston
>
>
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-boston
>
> This electronic message transmission contains information from the 
> Company that may be proprietary, confidential and/or privileged. The 
> information is intended only for the use of the individual(s) or 
> entity named above. If you are not the intended recipient, be aware 
> that any disclosure, copying or distribution or use of the contents of 
> this information is prohibited. If you have received this electronic 
> transmission in error, please notify the sender immediately by 
> replying to the address listed in the "From:" field.
>
>
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-boston

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-boston/attachments/20141017/8e9f92b1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 8819 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-boston/attachments/20141017/8e9f92b1/attachment-0001.jpe>


More information about the Owasp-boston mailing list