[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] AppScan Enterprise competitors

From: Marvin Simkin <Marvin.Simkin@xxxxxxx>
Subject: [WEB SECURITY] AppScan Enterprise competitors
Date: Tue, 10 Nov 2009 12:43:43 -0700

Yes, I can google, I can wikipedia, but what I'm really looking for is experience from other pros rather than a comprehensive list of tools half of which may not be ready for prime time. What have YOU used that worked well for you in a large enterprise environment?

I'm looking for a web vulnerability scanner in the neighborhood of AppScan Enterprise, with the following attributes:

* Can automatically generate and thereafter manage a very large inventory of web hosts and URLs. (tens of thousands of hosts, many millions of URLs)

* Can tell what's changed since last month / last year / whatever date. Flat files and diff are nice for this, if the tool provides them.

* Uses a frequently-updated list of vuln signatures and probes, so when say a new SQL Injection technique is discovered, it is automatically included in future scans.

* Doesn't force you to manage your security using things that themselves have a poor security history / reputation (MSIE, ActiveX...)

* Takes an enterprise view, not just a single scan of a single "site".

* Can navigate "web 2.0" apps with heavy JavaScript, flash, etc.

* Can test the same "web application" with multiple roles (public, logged in user, admin) and report on similarities / differences based on role. Should be able to "diff" the list of URLs visible to each role, for example.

* Database backend so you can do ad hoc queries. For example: history of a given URL. When was it first seen? What vulns have been found and fixed over time, and still remain? When did this URL go away (404)?

* Can be scripted / automated, not constantly clicky-clicky to keep it running.

* Multiple concurrent scans and users.

Thanks!!

-------------------------------------
Marvin Simkin
Information Security Architect

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] AppScan Enterprise competitors
  - From: Andres Riancho

Prev by Date: Re: [WEB SECURITY] HPP protection
Next by Date: [WEB SECURITY] [Administrative] List slow down
Previous by thread: [WEB SECURITY] HPP protection
Next by thread: Re: [WEB SECURITY] AppScan Enterprise competitors
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site