I've used AppScan v5 and also tested other products by vendors such as SPI
Dynamics.
My personal opinion is that AppScan was useful as a high level point and
shoot evaluation tool. But like all of these tools, it's important that
testing is followed by a proper pen test. The strength of AppScan is in its
reporting and output - the reports look nice on a big screen as opposed to a
more functional but less feature rich tool such as Typhon (which I think is
excellent). However, unless you can meticulously go through the report and
validate and weed out all of the "high risk" XSS vulns that it will be
reporting on, then they can be quite misleading if just used without
validation.
Personally, you can't beat doing a proper grey\white box test. For example,
AppScan wont tell you about poorly implemented encryption and it wont
criticize a weak password policy.
As for good open source tools - well, if you want to do a half decent job of
testing the web app, you can't beat a mark 1 eyeball test of the source
code! I generally use a free proxy tool such as Paros and use the web
spidering functionality of Typhon, but the rest is just down to experience.
Note - just my opinion. Not trying to persuade anyone to buy or form an
opinion of the above mentioned software! There is plenty written about all
of them elsewhere.
-----Original Message-----
From: Serg Belokamen [mailto:serg.belokamen@gmail.com]
Sent: 17 February 2006 07:04
To: webappsec@securityfocus.com
Subject: Tools comparison and evaluation question (AppScan)
Hi All,
I am currently looking at using/evaluating a tool called AppScan (by
watchfire.com).
So the question is in two parts and ASAP reply would be greatly appreciated.
First:
Without starting a flame war (hopefully) or marketing campaign
(another hopefully) can any one tell me abut their experience with the
software, what you find useful about it, what not, any annoyances,
missing functionality, etc.
Second:
Can anyone recommend any simular type of software, preferably open
source (although not at all essential), and describe its performance,
usability and "usefulness" so to speak using AppScan as a reference
point.
Thanks,
Serg
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
