Vulnerability Scanner Comparison

[Deepak Rathore]

Hi All,

I am working in a big setup of HP webinspect with AMP web console (3 production Webinspect Server, 2 Dev Webinspect Server, 20+ AMP Sensors), however daily we are facing some issue with HP. HP guys also not able to resolve our issues. So We are looking an alternate of HP. We have some depency due to functional working model, Need Web based centralized scanner like HP AMP Webconsole.

My team researched on this and we found some of commercial scanner :Cenzic Hailstrom, NStalker, NTO Spider & IBM Appscan.

Our priority is : 1. NTO Spider, 2. Nstalker, 3. Cenzic

We have issue with cost and licensing too so we are avoiding IBM Appscan.

Acunetix is a best tool, but we can't use standalone installation tools due to our functional dependency.

Kindly share our experience with dynamic scanning tools which will provide good result(less false positive), good in licensing and cost, good handling machanism and better than HP Webinspect/AMP.

Thanks & Regards-----

Deepak Rathore.

--------------------------------------------------------------------------------------------------------------------------------------------
"The more you know, the more you realize you know nothing."
--------------------------------------------------------------------------------------------------------------------------------------------

[Deepak Rathore]

We are using qualys for infra scanning,not for app scanning.

Warm Regards-----

Deepak Rathore.
--------------------------------------------------------------------------------------------------------------------------------------------
"The more you know, the more you realize you know nothing."

--------------------------------------------------------------------------------------------------------------------------------------------

On Tue, Jan 8, 2013 at 4:42 PM, Harshwardhan <harshward...@gmail.com> wrote:

Have you evaluated Qualys for your requirement?

--
Get ready to Goa!
nullcon security conference Goa Feb 27th - March 2nd 2013
http://nullcon.net
 
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
 

[hemant mittal]

Then howz about ncircle....??

 

Thanks & Regards,

Hemant Mittal

[hemant mittal]

https://mosaicsecurity.com/categories/23-application-security-scanners - hope this help you.

 

Thanks & Regards,

Hemant Mittal

[Deepak Rathore]

Hi Hemant,

We have not tried nCircle.

Kindly share your experience regarding nCircle performance, cost, support and maintenance.

Warm Regards-----

Deepak Rathore.
--------------------------------------------------------------------------------------------------------------------------------------------
"The more you know, the more you realize you know nothing."

--------------------------------------------------------------------------------------------------------------------------------------------

[hemant mittal]

Hi Deepak,

 

Performance is quite good and having strong vulnerabilities detection.

 

Thanks & Regards,

Hemant Mittal

[AmarDeep Singh]

Qualys is good for infra and not app scanning. I have recently evaluated Rapid7 Nexpose. I found it very nice. Few of its features which give it edge over other players are like its integration with Metasploit and its capability to provide you the exploit possibility of a vulnerability are worth looking for. Cenzic is other good product I would definitely recommend.

Thanks,

Amar Deep 

On Wed, Jan 9, 2013 at 12:42 AM, Deepak Rathore <deepakra...@gmail.com> wrote:

[Anupam T]

Also arachini web scanner is worth a try..takes time bt gives gud results..regards. Anupam

On Jan 9, 2013 10:43 AM, "hemant mittal" <heman...@gmail.com> wrote:

Hi Deepak,

 

Performance is quite good and having strong vulnerabilities detection.

 
Thanks & Regards,
Hemant Mittal

On Wed, Jan 9, 2013 at 1:24 AM, Deepak Rathore <deepakra...@gmail.com> wrote:
>
> Hi Hemant,

>...

[kishore kumar]

Recently I had a chance to evaluate NTO Spider. It did not meet my expectations.

Biggest problem: If the application has a functionality where clicking on a link opens a new window or a pop-up - boom NTO cannot not handle it. Tool will not move further.

Another requirement: Application uses 3rd party API's like youtube. So tool should be able to test these scenarios as well. Youtube might not be vulnerable to XSS, However with the API call, when youtube code gets embedded in your application, there is a chance of XSS here. NTO claims to detect such issues as well. However in my case it failed to identify this issue. Manually I was able to identify XSS but NTO did not.

I believe before procuring a tool you will be requesting a eval copy of the tool. So please try to put your requirements to the vendor and evaluate the tool based on your requirement. 

Regards,
kishore sangaraju

[sandeep patil]

why dont give a try for burp suite pro its cost effective and results are better than scanner which are costly for apscan

[Hitesh Bhardwaj]

agreed with sandeep patil ....go ahead for burp suite..

Hitesh Bhardwaj 

(IT Security Engg.)

+91 9911896203

[Prashanth Sivarajan]

I would recommend apscan if you can afford it.

 

Now about Cenzic; very good tool with less false positives. Very good reporting flexibility. Basic fuzzing for SQLinjection and cross site scripting are very good and the steps to reproduce i easily derivable from the report.

 

On the down side; I am not very impressed with the spidering though. For a simple application with lots of anchor tags, Cenzic does a good job but if the application uses javascript click events to navigate through pages, the crawler usually gets stuck some where. No flash support and webservices scanning is not that extensive. It is not very good with multiple levels of authentication(NTLM and then Form based authentication) but we rarely  come across such a situation. No scripting support whatsoever.

 

For all the disadvantages stated above the solution is to do a manual proxy traversal. set up a proxy and ask you r team to click through all the links in teh web application. Cenzic captures all the HTTP requests and runs the scan against them. In the future release they are even planning to add a feature to import http request/response captured from other proxies to test.

 

Hope this helped.

 

 

regards,

Prashanth

[Akash]

Has anyone tested the spidering and scanning capabilities of the latest version of OWASP ZAP?

Also the creators of Netsparker claim Zero false positives in their community edition for SQL Injection and XSS finding capability.

Warm regards,
Akash Mahajan

That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager

[Hitesh Bhardwaj]

yup we tested with OWASP Zap its impressive & results are more powerful.. 

Hitesh Bhardwaj 

(IT Security Engg.)

+91 9911896203

[Deepak Rathore]

We do not want to work with standalone scanners, due to our functional dependency otherwise acunetix is best.

We uses all that open source proxies and scanner for manual PT.

Any one worked on Appscan enterprise edition 8.6 with web based console management.

Warm Regards-----

Deepak Rathore.
--------------------------------------------------------------------------------------------------------------------------------------------
"The more you know, the more you realize you know nothing."

--------------------------------------------------------------------------------------------------------------------------------------------

[sandeep mlist]

Try metasploit pro...its good. You can try the trail version. then you can go ahead..

[YOGESH PHADTARE]

Here is best guide only for Web application scanner.

http://www.sectoolmarket.com/

On Thu, Jan 10, 2013 at 5:30 PM, <aram...@gmail.com> wrote:

Deepak, I suggest IBM Appscan, if you can invest, thats a good tool.