[Owasp-boston] Web application security scanner recommendation

Jeff Williams jeff.williams at owasp.org
Fri Oct 31 16:22:24 UTC 2014


I'm biased obviously, but Contrast is an instrumentation based approach to finding vulns that works in realtime.  There are a number of advantages.  I talked at AppSecUSA about it http://youtu.be/VQ69Ib_oih8.  Or you can try the free Eclipse plugin http://marketplace.eclipse.org/content/contrast-eclipse.

--Jeff


> On Oct 17, 2014, at 7:03 PM, Kerry LeBlanc <kerry_leblanc at verizon.net> wrote:
> 
> 
> Hey you might want to check these guys out: http://www.codenomicon.com/  I met their reps at the Triangle Infosecon here in Raleigh yesterday and they really have a great looking product. I myself never used it, but considering the sessions they ran and what I have seen on their site, they seem like a strong contender. The guys at the infosecon really new what they were talking about. Might not be quite what you are looking for, but maybe worth a look.
> 
>  Kerry LeBlanc, CISSP, GISP, C|EH
> Information Security Consultant
> Priveon, Inc.
> Cell:   919-610-7080
> kleblanc at priveon.com
> www.priveon.com
> 
> 
>> On 10/17/2014 6:00 PM, Weiler, Jim wrote:
>> We’ve given up using a server based web app scanner (we had AppScan) and now use the Qualys service. I found that of the 42 options in AppScan that could affect the scan, most we             never used, and some were poorly documented and I could not easily get the info, in a useful format, on what URLs were actually scanned. We wanted that to verify that we were scanning what we wanted.
>>  
>> I think you need to scan from the internet, not thru your company VPN or from inside your network out to the internet and back, to most accurately mimic an attacker. With the Qualys service you have no operational issues like server provisioning and maintenance, upgrades etc. we have also installed Qualys scan engine VMs on internal servers to scan QA, staging etc. and they are managed the same as the service.
>>  
>> Jim
>>  
>> Jim Weiler       CISSP   CSSLP   GSSP - Java
>> Application Security Architect
>> Information Security Team
>> Starwood Hotels      1505 Washington St.   Braintree MA. 02184
>> mobile - 781 654 6048
>> <mime-attachment.jpg>
>>  
>> From: owasp-boston-bounces at lists.owasp.org [mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of Roy Wattanasin
>> Sent: Thursday, October 09, 2014 12:59 PM
>> To: Bernie Mamorbor
>> Cc: Owasp-boston at lists.owasp.org
>> Subject: Re: [Owasp-boston] Web application security scanner recommendation
>>  
>> Hi All:
>> 
>> Dependant on what you're looking for, I've had previous positive experiences with IBM AppScan, HP Fortify (previously called WebInspect) and Veracode. There's more today though to test as well.
>> 
>> Roy
>>  
>> On Thu, Oct 9, 2014 at 11:13 AM, Bernie Mamorbor <Bernie.Mamorbor at sas.com> wrote:
>> I have executed AppScan Enterprise against our solutions with good results.
>>  
>> Dennis, we would all like to hear your results.
>>  
>> Thanks,
>> Bernie
>>  
>> From: owasp-boston-bounces at lists.owasp.org [mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of George Ehrhorn
>> Sent: Thursday, October 09, 2014 8:18 AM
>> To: d.antunes at comcast.net; mario.desousa at coderedinc.com
>> 
>> Cc: Owasp-boston at lists.owasp.org
>> Subject: Re: [Owasp-boston] Web application security scanner recommendation
>>  
>> We have had very good results with IBM App Scan. At a previous company we had very good results with HP WebInspect.
>> 
>> Dennis, I think the list would benefit from hearing your results.
>>  
>>  
>> From: owasp-boston-bounces at lists.owasp.org [mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of d.antunes at comcast.net
>> Sent: Wednesday, October 08, 2014 20:54
>> To: mario.desousa at coderedinc.com
>> Cc: Owasp-boston at lists.owasp.org
>> Subject: Re: [Owasp-boston] Web application security scanner recommendation
>>  
>> I just did a substantial bakeoff. It really depends                       on your requirements though.
>> 
>> See Shay Chen's http://sectooladdict.blogspot.com for extensive analysis and try to align your needs.
>> 
>> Email me off list if you'd like to hear my results. 
>> 
>> Dennis
>> 
>> 
>> Sent from XFINITY Connect Mobile App
>> -----Original Message-----
>> 
>> From: mario.desousa at coderedinc.com
>> To: jikbal at gmail.com
>> Cc: Owasp-boston at lists.owasp.org
>> Sent: 2014-10-08 18:26:43 GMT
>> Subject: Re: [Owasp-boston] Web application security scanner recommendation
>> 
>> I had a good experience with WhiteHat last year. It's a SaaS product... Easy to setup and thorough. They have a service that also includes human review of the application to find security issues that are in the business logic.
>> 
>> Sent from my iPhone
>> 
>> > On Oct 8, 2014, at 5:26 PM, "Javed Ikbal" wrote:
>> > 
>> > I am in the market for a web application scanner.
>> > 
>> > I have experience with appscan, webinspect and acinetix, although with
>> > older versions.
>> > 
>> > I am not looking for a service like Qualys or Whitehat at this time.
>> > 
>> > Any comments about these and anything else out there?
>> > 
>> > If you recommend a product, please share why you like it.
>> > 
>> > [ I am happy to receive comments from salespeople pushing their own
>> > product, but in that case please email me directly instead of the list
>> > ]
>> > 
>> > Thanks in advance.
>> > 
>> > Javed
>> > _______________________________________________
>> > Owasp-boston mailing list
>> > Owasp-boston at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-boston
>> _______________________________________________
>> Owasp-boston mailing list
>> Owasp-boston at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-boston
>> 
>> _______________________________________________
>> Owasp-boston mailing list
>> Owasp-boston at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-boston
>> 
>>  
>> This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the       contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field. 
>> 
>> _______________________________________________
>> Owasp-boston mailing list
>> Owasp-boston at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-boston
> 
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-boston
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-boston/attachments/20141031/dbb0d5cf/attachment-0001.html>


More information about the Owasp-boston mailing list