<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><span></span></div><div><div>I'm biased obviously, but Contrast is an instrumentation based approach to finding vulns that works in realtime.  There are a number of advantages.  I talked at AppSecUSA about it <font color="#000000" style="text-decoration: none; background-color: rgba(255, 255, 255, 0);"><a href="http://youtu.be/VQ69Ib_oih8" class="_mlm" style="text-decoration: none; background-color: rgba(255, 255, 255, 0);">http://youtu.be/VQ69Ib_oih8</a>.  Or you can try the free Eclipse plugin </font><a href="http://marketplace.eclipse.org/content/contrast-eclipse">http://marketplace.eclipse.org/content/contrast-eclipse</a>.<br><br>--Jeff<div><br></div></div><div><br>On Oct 17, 2014, at 7:03 PM, Kerry LeBlanc <<a href="mailto:kerry_leblanc@verizon.net">kerry_leblanc@verizon.net</a>> wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  
    <br>
    Hey you might want to check these guys out: <a class="moz-txt-link-freetext" href="http://www.codenomicon.com/">http://www.codenomicon.com/</a> 
    I met their reps at the Triangle Infosecon here in Raleigh yesterday
    and they really have a great looking product. I myself never used
    it, but considering the sessions they ran and what I have seen on
    their site, they seem like a strong contender. The guys at the
    infosecon really new what they were talking about. Might not be
    quite what you are looking for, but maybe worth a look.<br>
    <br>
    <span><font color="#888888">
        <pre cols="72"><span style="background-color:rgba(255,255,255,0)">Kerry LeBlanc, CISSP, GISP, C|EH<span class="">
Information Security Consultant
Priveon, Inc.
</span>Cell:   <a href="tel:919-610-7080" target="_blank">919-610-7080</a>
<a href="mailto:kleblanc@priveon.com" target="_blank">kleblanc@priveon.com</a>
<a href="http://www.priveon.com/" target="_blank">www.priveon.com</a></span>


</pre>
      </font></span>
    <div class="moz-cite-prefix">On 10/17/2014 6:00 PM, Weiler, Jim
      wrote:<br>
    </div>
    <blockquote cite="mid:075f11b009014c589a8cde43fff33e1f@CO2PR07MB604.namprd07.prod.outlook.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Arial","sans-serif";
        color:#548DD4;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">We’ve
            given up using a server based web app scanner (we had
            AppScan) and now use the Qualys service. I found that of the
            42 options in AppScan that could affect the scan, most we
            never used, and some were poorly documented and I could not
            easily get the info, in a useful format, on what URLs were
            actually scanned. We wanted that to verify that we were
            scanning what we wanted.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">I
            think you need to scan from the internet, not thru your
            company VPN or from inside your network out to the internet
            and back, to most accurately mimic an attacker. With the
            Qualys service you have no operational issues like server
            provisioning and maintenance, upgrades etc. we have also
            installed Qualys scan engine VMs on internal servers to scan
            QA, staging etc. and they are managed the same as the
            service.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">Jim<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Jim
            Weiler       CISSP   CSSLP   GSSP - Java<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Application
            Security Architect<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Information
            Security Team<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">Starwood
            Hotels      1505 Washington St.   Braintree MA. 02184<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D">mobile
            -
          </span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4">781
            654 6048</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3E1F7D"><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#548DD4"><mime-attachment.jpg><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
        <p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
            <a class="moz-txt-link-abbreviated" href="mailto:owasp-boston-bounces@lists.owasp.org">owasp-boston-bounces@lists.owasp.org</a>
            [<a class="moz-txt-link-freetext" href="mailto:owasp-boston-bounces@lists.owasp.org">mailto:owasp-boston-bounces@lists.owasp.org</a>]
            <b>On Behalf Of </b>Roy Wattanasin<br>
            <b>Sent:</b> Thursday, October 09, 2014 12:59 PM<br>
            <b>To:</b> Bernie Mamorbor<br>
            <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:Owasp-boston@lists.owasp.org">Owasp-boston@lists.owasp.org</a><br>
            <b>Subject:</b> Re: [Owasp-boston] Web application security
            scanner recommendation<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
        <div>
          <div>
            <p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">Hi
              All:<o:p></o:p></p>
          </div>
          <p class="MsoNormal" style="margin-left:.5in">Dependant on
            what you're looking for, I've had previous positive
            experiences with IBM AppScan, HP Fortify (previously called
            WebInspect) and Veracode. There's more today though to test
            as well.<br>
            <br>
            Roy<o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
          <div>
            <p class="MsoNormal" style="margin-left:.5in">On Thu, Oct 9,
              2014 at 11:13 AM, Bernie Mamorbor <<a moz-do-not-send="true" href="mailto:Bernie.Mamorbor@sas.com" target="_blank">Bernie.Mamorbor@sas.com</a>>
              wrote:<o:p></o:p></p>
            <div>
              <div>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
                    have executed AppScan Enterprise against our
                    solutions with good results.
                  </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dennis,
                    we would all like to hear your results.</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Bernie</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                <div>
                  <div style="border:none;border-top:solid #E1E1E1
                    1.0pt;padding:3.0pt 0in 0in 0in">
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
                        <a moz-do-not-send="true" href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">owasp-boston-bounces@lists.owasp.org</a>
                        [mailto:<a moz-do-not-send="true" href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">owasp-boston-bounces@lists.owasp.org</a>]
                        <b>On Behalf Of </b>George Ehrhorn<br>
                        <b>Sent:</b> Thursday, October 09, 2014 8:18 AM<br>
                        <b>To:</b> <a moz-do-not-send="true" href="mailto:d.antunes@comcast.net" target="_blank">d.antunes@comcast.net</a>;
                        <a moz-do-not-send="true" href="mailto:mario.desousa@coderedinc.com" target="_blank">mario.desousa@coderedinc.com</a></span><o:p></o:p></p>
                    <div>
                      <div>
                        <p class="MsoNormal" style="margin-left:.5in"><br>
                          <b>Cc:</b> <a moz-do-not-send="true" href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
                          <b>Subject:</b> Re: [Owasp-boston] Web
                          application security scanner recommendation<o:p></o:p></p>
                      </div>
                    </div>
                  </div>
                </div>
                <div>
                  <div>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"> <o:p></o:p></p>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We
                        have had very good results with IBM App Scan. At
                        a previous company we had very good results with
                        HP WebInspect.</span><o:p></o:p></p>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
                        Dennis, I think the list would benefit from
                        hearing your results.</span><o:p></o:p></p>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
                        <a moz-do-not-send="true" href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">owasp-boston-bounces@lists.owasp.org</a>
                        [<a moz-do-not-send="true" href="mailto:owasp-boston-bounces@lists.owasp.org" target="_blank">mailto:owasp-boston-bounces@lists.owasp.org</a>]
                        <b>On Behalf Of </b><a moz-do-not-send="true" href="mailto:d.antunes@comcast.net" target="_blank">d.antunes@comcast.net</a><br>
                        <b>Sent:</b> Wednesday, October 08, 2014 20:54<br>
                        <b>To:</b> <a moz-do-not-send="true" href="mailto:mario.desousa@coderedinc.com" target="_blank">mario.desousa@coderedinc.com</a><br>
                        <b>Cc:</b> <a moz-do-not-send="true" href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
                        <b>Subject:</b> Re: [Owasp-boston] Web
                        application security scanner recommendation</span><o:p></o:p></p>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"> <o:p></o:p></p>
                    <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">I
                      just did a substantial bakeoff. It really depends
                      on your requirements though.<br>
                      <br>
                      See Shay Chen's <a moz-do-not-send="true" href="http://sectooladdict.blogspot.com" target="_blank">http://sectooladdict.blogspot.com</a>
                      for extensive analysis and try to align your
                      needs.<br>
                      <br>
                      Email me off list if you'd like to hear my
                      results. <br>
                      <br>
                      Dennis<br>
                      <br>
                      <br>
                      Sent from XFINITY Connect Mobile App<br>
                      -----Original Message-----<br>
                      <br>
                      From: <a moz-do-not-send="true" href="mailto:mario.desousa@coderedinc.com" target="_blank">mario.desousa@coderedinc.com</a><br>
                      To: <a moz-do-not-send="true" href="mailto:jikbal@gmail.com" target="_blank">jikbal@gmail.com</a><br>
                      Cc: <a moz-do-not-send="true" href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
                      Sent: 2014-10-08 18:26:43 GMT<br>
                      Subject: Re: [Owasp-boston] Web application
                      security scanner recommendation<br>
                      <br>
                      I had a good experience with WhiteHat last year.
                      It's a SaaS product... Easy to setup and thorough.
                      They have a service that also includes human
                      review of the application to find security issues
                      that are in the business logic.<br>
                      <br>
                      Sent from my iPhone<br>
                      <br>
                      > On Oct 8, 2014, at 5:26 PM, "Javed Ikbal"
                      wrote:<br>
                      > <br>
                      > I am in the market for a web application
                      scanner.<br>
                      > <br>
                      > I have experience with appscan, webinspect
                      and acinetix, although with<br>
                      > older versions.<br>
                      > <br>
                      > I am not looking for a service like Qualys or
                      Whitehat at this time.<br>
                      > <br>
                      > Any comments about these and anything else
                      out there?<br>
                      > <br>
                      > If you recommend a product, please share why
                      you like it.<br>
                      > <br>
                      > [ I am happy to receive comments from
                      salespeople pushing their own<br>
                      > product, but in that case please email me
                      directly instead of the list<br>
                      > ]<br>
                      > <br>
                      > Thanks in advance.<br>
                      > <br>
                      > Javed<br>
                      >
                      _______________________________________________<br>
                      > Owasp-boston mailing list<br>
                      > <a moz-do-not-send="true" href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
                      > <a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-boston" target="_blank">
https://lists.owasp.org/mailman/listinfo/owasp-boston</a><br>
                      _______________________________________________<br>
                      Owasp-boston mailing list<br>
                      <a moz-do-not-send="true" href="mailto:Owasp-boston@lists.owasp.org" target="_blank">Owasp-boston@lists.owasp.org</a><br>
                      <a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-boston" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-boston</a><o:p></o:p></p>
                  </div>
                </div>
              </div>
            </div>
            <p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in"><br>
              _______________________________________________<br>
              Owasp-boston mailing list<br>
              <a moz-do-not-send="true" href="mailto:Owasp-boston@lists.owasp.org">Owasp-boston@lists.owasp.org</a><br>
              <a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-boston" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-boston</a><o:p></o:p></p>
          </div>
          <p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
        </div>
      </div>
      This electronic message transmission contains information from the
      Company that may be proprietary, confidential and/or privileged.
      The information is intended only for the use of the individual(s)
      or entity named above. If you are not the intended recipient, be
      aware that any disclosure, copying or distribution or use of the
      contents of this information is prohibited. If you have received
      this electronic transmission in error, please notify the sender
      immediately by replying to the address listed in the "From:"
      field.
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-boston mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-boston@lists.owasp.org">Owasp-boston@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-boston">https://lists.owasp.org/mailman/listinfo/owasp-boston</a>
</pre>
    </blockquote>
    <br>
  

</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Owasp-boston mailing list</span><br><span><a href="mailto:Owasp-boston@lists.owasp.org">Owasp-boston@lists.owasp.org</a></span><br><span><a href="https://lists.owasp.org/mailman/listinfo/owasp-boston">https://lists.owasp.org/mailman/listinfo/owasp-boston</a></span><br></div></blockquote></div></body></html>