Home page logo

basics logo Security Basics mailing list archives

Re: Best Commercial Security Testing tools
From: Vic Vandal <vvandal () well com>
Date: Thu, 2 Feb 2012 08:48:49 -0800 (PST)

WebInspect is a good recommendation (from Manuel).  It goes head-to-head with AppScan.  I've used both and did a heavy 
bake-off where WebInspect came out on top (by a small margin).  But since Caleb Sima and the tool/company got bought 
out its had some decent improvements but also took some steps backward, in my professional opinion.  I can cite details 
individually if needed, but basically it now misses some issues it used to catch.  AppScan misses some stuff too.  But 
WebInspect and AppScan are still very solid tools.

I try not to bash any tool publicly, but in line with that "stay away from Rapid-7" opinion I'll say that when I put 
eEye Retina through its paces in that mentioned bake-off it performed terribly.  I'm guessing it got better the past 
couple of years, but I don't have any recent personal testing or usage to verify it one way or the other.

And in all fairness Rapid-7 has actually gotten much better the past couple of years than it was.  Its new hooks into 
MetaSploit are also a desirable feature for some users.  But it has advantages and disadvantages to similar tools like 
Lumension STAT Scanner and GFI LANguard.  Rapid-7 also recently add some Oracle scan capabilities that STAT and GFI 
can't match (yet).  I've used all 3 of those a bit extensively.  

What I like about Lumension STAT is the ability to easily code up custom vulnerability and attestation checks (which I 
use extensively), and to do my own ad-hoc reporting against its back-end DB (which I also do extensively).  I've not 
been able to duplicate those functions with Rapid-7.  

I have some close friends who work for GFI, so I'd rather not give any professional or personal input on that tool.  It 
may come across like the guy who posted a Rapid-7 link and suggestion from a rapid7.com email address (eye roll).
But each tool has pros and cons, and buyers should lay out their technical and functional requirements prior to 
evaluating tools and choosing one or more.  That's the bottom line and is my professional advice to the person that 
started this thread.  The product(s) that meet the needs of myself, my employer, and the environment in which I need to 
assess risk (and/or break into) may or may not be the best choice for your environment.


P.S. I find the repeated appending of that Apache SSL Thawte cert spam to each security-basics inquiry and response to 
be really annoying.  I'm just saying.  I removed 3 copies of that message from this thread before hitting Send on my 

----- Original Message -----
From: "Manuel Landron" <mlandron () uspsoig gov>
To: "Belkacem Abdessemed" <Belkacem_Abdessemed () rapid7 com>
Cc: "Voulnet" <voulnet () gmail com>, security-basics () securityfocus com
Sent: Wednesday, February 1, 2012 1:16:29 PM
Subject: Re: Best Commercial Security Testing tools

We use Nessus, GFi LANguard, Appdetective, and WebInspect. Stay away from Rapid 7. 

Sent from my iPhone

On Feb 1, 2012, at 10:12 AM, "Belkacem Abdessemed" <Belkacem_Abdessemed () rapid7 com> wrote:


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Voulnet
Sent: Wednesday, February 01, 2012 3:27 AM
To: security-basics () securityfocus com
Subject: Best Commercial Security Testing tools

Hello, I'm trying to compile a list and get quotations for the best commercial security pentesting tools, things like 
Metasploit Pro, Core Impact, Acunetix.. etc

Please, give me your recommendations!

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]