<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Arial","sans-serif";
        color:#548DD4;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">We’ve given up using a server based web app scanner (we had AppScan) and now use the Qualys service. I found that of the 42 options in AppScan that could affect
 the scan, most we never used, and some were poorly documented and I could not easily get the info, in a useful format, on what URLs were actually scanned. We wanted that to verify that we were scanning what we wanted.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">I think you need to scan from the internet, not thru your company VPN or from inside your network out to the internet and back, to most accurately mimic an attacker.
 With the Qualys service you have no operational issues like server provisioning and maintenance, upgrades etc. we have also installed Qualys scan engine VMs on internal servers to scan QA, staging etc. and they are managed the same as the service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">Jim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Jim Weiler       CISSP   CSSLP   GSSP - Java<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Application Security Architect<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Information Security Team<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Starwood Hotels      1505 Washington St.   Braintree MA. 02184<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">mobile -
</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">781 654 6048</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#548DD4"><img width="180" height="180" id="Picture_x0020_1" src="cid:image001.jpg@01CFEA33.8D55B5F0" alt="CyberSmaller2"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> owasp-boston-bounces@lists.owasp.org [mailto:owasp-boston-bounces@lists.owasp.org]
<b>On Behalf Of </b>Roy Wattanasin<br>
<b>Sent:</b> Thursday, October 09, 2014 12:59 PM<br>
<b>To:</b> Bernie Mamorbor<br>
<b>Cc:</b> Owasp-boston@lists.owasp.org<br>
<b>Subject:</b> Re: [Owasp-boston] Web application security scanner recommendation<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
Hi All:<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left:.5in">Dependant on what you're looking for, I've had previous positive experiences with IBM AppScan, HP Fortify (previously called WebInspect) and Veracode. There's more today though to test as well.<br>
<br>
Roy<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">On Thu, Oct 9, 2014 at 11:13 AM, Bernie Mamorbor <<a href="mailto:Bernie.Mamorbor@sas.com" target="_blank">Bernie.Mamorbor@sas.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I have executed AppScan Enterprise against our solutions with good results.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dennis, we would all like to hear your results.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Bernie</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<a href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">owasp-boston-bounces@lists.owasp.org</a> [mailto:<a href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">owasp-boston-bounces@lists.owasp.org</a>]
<b>On Behalf Of </b>George Ehrhorn<br>
<b>Sent:</b> Thursday, October 09, 2014 8:18 AM<br>
<b>To:</b> <a href="mailto:d.antunes@comcast.net" target="_blank">d.antunes@comcast.net</a>;
<a href="mailto:mario.desousa@coderedinc.com" target="_blank">mario.desousa@coderedinc.com</a></span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><br>
<b>Cc:</b> <a href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
<b>Subject:</b> Re: [Owasp-boston] Web application security scanner recommendation<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
 <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We have had very good results with IBM App Scan. At a previous company we had very good results with HP WebInspect.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
Dennis, I think the list would benefit from hearing your results.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<a href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">owasp-boston-bounces@lists.owasp.org</a> [<a href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">mailto:owasp-boston-bounces@lists.owasp.org</a>]
<b>On Behalf Of </b><a href="mailto:d.antunes@comcast.net" target="_blank">d.antunes@comcast.net</a><br>
<b>Sent:</b> Wednesday, October 08, 2014 20:54<br>
<b>To:</b> <a href="mailto:mario.desousa@coderedinc.com" target="_blank">mario.desousa@coderedinc.com</a><br>
<b>Cc:</b> <a href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
<b>Subject:</b> Re: [Owasp-boston] Web application security scanner recommendation</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
 <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">
I just did a substantial bakeoff. It really depends on your requirements though.<br>
<br>
See Shay Chen's <a href="http://sectooladdict.blogspot.com" target="_blank">http://sectooladdict.blogspot.com</a> for extensive analysis and try to align your needs.<br>
<br>
Email me off list if you'd like to hear my results. <br>
<br>
Dennis<br>
<br>
<br>
Sent from XFINITY Connect Mobile App<br>
-----Original Message-----<br>
<br>
From: <a href="mailto:mario.desousa@coderedinc.com" target="_blank">mario.desousa@coderedinc.com</a><br>
To: <a href="mailto:jikbal@gmail.com" target="_blank">jikbal@gmail.com</a><br>
Cc: <a href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
Sent: 2014-10-08 18:26:43 GMT<br>
Subject: Re: [Owasp-boston] Web application security scanner recommendation<br>
<br>
I had a good experience with WhiteHat last year. It's a SaaS product... Easy to setup and thorough. They have a service that also includes human review of the application to find security issues that are in the business logic.<br>
<br>
Sent from my iPhone<br>
<br>
> On Oct 8, 2014, at 5:26 PM, "Javed Ikbal" wrote:<br>
> <br>
> I am in the market for a web application scanner.<br>
> <br>
> I have experience with appscan, webinspect and acinetix, although with<br>
> older versions.<br>
> <br>
> I am not looking for a service like Qualys or Whitehat at this time.<br>
> <br>
> Any comments about these and anything else out there?<br>
> <br>
> If you recommend a product, please share why you like it.<br>
> <br>
> [ I am happy to receive comments from salespeople pushing their own<br>
> product, but in that case please email me directly instead of the list<br>
> ]<br>
> <br>
> Thanks in advance.<br>
> <br>
> Javed<br>
> _______________________________________________<br>
> Owasp-boston mailing list<br>
> <a href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
> <a href="https://lists.owasp.org/mailman/listinfo/owasp-boston" target="_blank">
https://lists.owasp.org/mailman/listinfo/owasp-boston</a><br>
_______________________________________________<br>
Owasp-boston mailing list<br>
<a href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-boston" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-boston</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
<br>
_______________________________________________<br>
Owasp-boston mailing list<br>
<a href="mailto:Owasp-boston@lists.owasp.org">Owasp-boston@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-boston" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-boston</a><o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
</div>
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient,
 be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:"
 field.
</body>
</html>