From: A.R. (r00t@northernfortress.net)
Date: Thu Sep 16 2004 - 20:44:34 EDT
I think that when having to choose between a free and a commercial tool,
it's all about figuring out the return of investment.
If it takes one week to manually inspect an application with
nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
the "grunt" work plus 2 days for the manual refinement, the 4 days I
gain are worth more than the ~1,000 dollars I have to spend for a 7-days
Appscan license.
In the end, I usually prefer to use Paros (free tool), but I think that
in some situations AppScan/WebInspect can be at least worth a look, even
if their price makes them look unprofitable at first sight.
NB: I have never used AppDetective, so I am not saying in any way that
the other tools are better
Just my 2 cents, of course :)
A.
On Wed, 2004-09-15 at 15:27, chuan.delahosseraye@accenture.com wrote:
> According to my previous search on a Web pen-test tools, AppScan,
> WebInspect and Scando are all much more expensive than AppDetective. If
> cost is a concern, it might be possible to combine a selection of free
> tools such as:
>
> - Nessus
> - Nikto
> - WebScarab
> - Achilles
>
> But this would involve a lot of Manual works.
>
> Hope this helps
> Chuan
>
> -----Original Message-----
> From: A.R. [mailto:r00t@northernfortress.net]
> Sent: 15 September 2004 12:27
> To: andrew@beegads.com
> Cc: pen-test@securityfocus.com
> Subject: Re: Web Application Tester
>
> Andrew,
>
> I don't know what's your budget, but for web applications you can try
> the following commercial products:
>
> - AppScan, by Sanctum (www.sanctuminc.com)
> - WebInspect, by Spidynamics (www.spidynamics.com)
> - ScanDo, by Kavado (www.kavado.com)
>
> ...Or the good ol' Paros (http://www.proofsecure.com/download.shtml),
> open source and free
>
> Hope this helps
>
> Alberto Revelli
> Northern Fortress, Inc.
>
> On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:
> > Does anyone know of an application tester similar to AppDetective
> > thats not as hard on the pocket book?
> > I need to pentest a web app and am looking for some tools
> >
> > Thanks,
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT