[Owasp-delhi] IBM AppSCAN & HP Webinspect comparison

Plash Chowdhary plash.chowdhary at tcs.com
Tue Mar 2 03:56:34 EST 2010


Interesting, as per report none of the test bed was on  Java.

My two cents.

Tests can improve a lot If

1) Scans are configured properly ( how to scan and parse links, specific
fields to complete a workflow )
2) type of Policy used ( one can even customize to get the best result )
3) In general most of the known  commercial web application scanners are
more or less good ( I dont consider Qualys as a pureplay web App scanner,
it lags a lot of features in a typical web app scanner )

Regards
Plash





|------------>
| From:      |
|------------>
  >----------------------------------------------------------------------------------------------------------------------------------------|
  |"Iyer, Anantharaman" <anantharaman.iyer at capgemini.com>                                                                                  |
  >----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >----------------------------------------------------------------------------------------------------------------------------------------|
  |"owasp-delhi at lists.owasp.org" <owasp-delhi at lists.owasp.org>                                                                             |
  >----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >----------------------------------------------------------------------------------------------------------------------------------------|
  |03/02/2010 02:14 PM                                                                                                                     |
  >----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >----------------------------------------------------------------------------------------------------------------------------------------|
  |Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison                                                                                |
  >----------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Sent by:   |
|------------>
  >----------------------------------------------------------------------------------------------------------------------------------------|
  |owasp-delhi-bounces at lists.owasp.org                                                                                                     |
  >----------------------------------------------------------------------------------------------------------------------------------------|





I feel every scanner has its pros & cons, so the only way to determine the
best for your needs are to test it against your applications before making
a final call. I have been reading reports and reviews by many authors and
no two reports point out a clear winner.

 I am attaching one more report published in Feb 2010 on web application
scanners comparison.

Gautam, this report will give some reason to re-consider WebInspect and
consider NTOSpider ;-)

Regards,

Anantharaman Iyer


From: owasp-delhi-bounces at lists.owasp.org [
mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of John, Arun (HP
Software-as-a-Service)
Sent: Monday, March 01, 2010 9:05 PM
To: Gautam Pagedar; Abir Banerjee
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison

So has HP/SpiDynamics with Assessment Management Platform.
www.hp.com/go/securitysoftware for info on these tools.

Regards
John

From: owasp-delhi-bounces at lists.owasp.org [
mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Gautam Pagedar
Sent: Monday, March 01, 2010 9:29 AM
To: Abir Banerjee
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison

It great to see the comparison. We are using AppScan for more than 5 years
now and I somehow feel that it does not give me full control to do
everything.

Its of course a good tool for novice starting AppSec. We also use Cenzic
and it give me some extra features and maybe also a way to compare every
time I get into a engagement.

FYI, AppScan has a Enterprise version and its a cool tool for a enterprise
wise deployment and getting AppSec testing into SDLC.

Abir,

Thanks for this report. It gives me a good reason to try WebInspect :-)

thanks,
Gautam
 ----- Original Message -----
 From: Abir Banerjee
 To: manikgupta19 at sqatester.com
 Cc: owasp-delhi at lists.owasp.org
 Sent: Saturday, February 27, 2010 7:24 AM
 Subject: Re: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison

 Hello Manik,

 Webinspect is much better than Appscan since appscan shows up a lot of
 false positives and the best web vulnerablity canner would be Acunetix WVS
 + Acusensor. Please the comparision file attached.
 Regards,

 Abeer Banerjee
 +91 9987099708

 From: Manik Gupta <manikgupta19 at sqatester.com>
 To: owasp-delhi at lists.owasp.org
 Sent: Mon, 22 February, 2010 10:22:14 AM
 Subject: [Owasp-delhi] IBM AppSCAN & HP Webinspect comparison
 Hi,

 Kindly let me know which tool is better for penetration testing among IBM
 AppSCAN & HP Webinspect.


 Regards,
 Manik



 Join SQAtester.com Community  --->
 http://www.sqatester.com/testersarea/joinus.htm


 Your Mail works best with the New Yahoo Optimized IE8. Get it NOW!.

 _______________________________________________
 Owasp-delhi mailing list
 Owasp-delhi at lists.owasp.org
 https://lists.owasp.org/mailman/listinfo/owasp-delhi








This message contains information that may be privileged or confidential
and is the property of the Capgemini Group. It is
intended only for the person to whom it is addressed. If you are not the
intended recipient, you are not authorized to
read, print, retain, copy, disseminate, distribute, or use this message or
any part thereof. If you receive this message
in error, please notify the sender immediately and delete all copies of
this message.
[attachment "Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf" deleted by
Plash Chowdhary/DEL/TCS] _______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi







=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you





More information about the Owasp-delhi mailing list