-----Original Message-----
From: Sheldon Malm [mailto:smalm () ncircle com]
Sent: Friday, August 15, 2008 10:30 PM
To: Andy Cuff (Talisker)
Cc: pen-test () securityfocus com; Danux;
security-basics () securityfocus com
Subject: RE: Best Commercial Vulnerability Scanner
Andy: have you created a sub-category for Vulnerability
Management solutions that offer integrated, dynamic web
application scanning?
Ill use Gartner's May 2008 ratings for Vulnerability
Assessment to frame the VM space. The following vendors
from Gartners 5 categories have dynamic Web Application
scanning capabilities built into their products today:
- Strong Positive: nCircle
- Positive: eEye; Rapid7
Others in the space are likely to follow, but this is it
today. (Today, as in August 15th).
Here is Gartners MarketScope, for anyone whos interested:
I hope this helps.
Sheldon Malm
Director
Security Research and Development
nCircle Network Security
http://blog.ncircle.com <http://blog.ncircle.com/>
-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Andy Cuff
(Talisker)
Sent: Friday, August 15, 2008 5:00 PM
To: 'Danux'; security-basics () securityfocus com
Cc: pen-test () securityfocus com
Subject: RE: Best Commercial Vulnerability Scanner
Hi Danux,
We've spent sometime breaking down Vulnerability scanners
into a variety of
sub categories depending on what you need them to do, from
your product
choice you appear to be looking for a Website Scanner, our
breakdown is as
follows:
At the top of the tree is Distributed vulnerability scanners
which generally
serve enterprises or managed services where you need to distribute the
scanning engines due to bandwidth constraints etc
We have listed them here
http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
anning-Products/Distributed-Scanners.html
Beneath this would come your network vulnerability scanners,
such as Nessus
or Hailstorm (Cenzic)
http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
anning-Products/Network-Scanners.html
Then you start to get specialised such as with web testing
with products
like your Acunetix product, which I just added to the listing
along with SPI
Dynamics which I now understand to be WebInspect after it's
acquisition by
HP
http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
anning-Product
s/Website-Scanners.html
Database Scanners
http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
anning-Product
s/Database-Scanners.html
Watchfire has been acquired by IBM, blue rinsed and
integrated into Rational
software quality management solutions. I can't find much
reference to it on
the IBM site
We also have categories for
Active and Passive OS Fingerprinting tools such as nmap and P0F
Network enumerators
Network mappers (enterprise)
Vulnerability Exploiters such as Metasploit and Core
The site is a new reincarnation of our old site, some of the
listings are
dated and I need people to rate and review the products. We
hope to launch
it properly once it's finished sometime in September
Regards
Andy Cuff
Computer Network Defence Ltd
www.networkintrusion.co.uk
We are doing vulnerability testing using SPI Dynamics with
Mercury Quality Center to defect management but this tool is
too expensive
(SPI) and also when using with MQC it is too slow.
In the past i have used Acunetix, i think is faster than SPI
Dynamics but i dont know about the price.
do you know if Gartner, personal experience or other source
where i can have a comparison between those kind of products?
I mean like SPI Dynamics, WatchFire, Acunetix, Cenzic, so on.
We are looking cheaper costs, better performance and good
vulnerability defect management.
Thanks a lot.
--
Danux, CISSP, OSCP, ISO27001
--------------------------------------------------------------
----------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
--------------------------------------------------------------
----------
Intro
