Security Basics
Best Commercial Security Testing tools Feb 01 2012 08:26AM
Voulnet (voulnet gmail com) (1 replies)
RE: Best Commercial Security Testing tools Feb 01 2012 05:14PM
Belkacem Abdessemed (Belkacem_Abdessemed rapid7 com) (2 replies)
RE: Best Commercial Security Testing tools Feb 01 2012 06:24PM
Rui Pereira \(WCG\) (ruiper wavefrontcg com)
Re: Best Commercial Security Testing tools Feb 01 2012 06:16PM
Landron, Manuel (mlandron uspsoig gov) (2 replies)
Re: Best Commercial Security Testing tools Feb 02 2012 04:48PM
Vic Vandal (vvandal well com) (1 replies)
WebInspect is a good recommendation (from Manuel). It goes head-to-head with AppScan. I've used both and did a heavy bake-off where WebInspect came out on top (by a small margin). But since Caleb Sima and the tool/company got bought out its had some decent improvements but also took some steps backward, in my professional opinion. I can cite details individually if needed, but basically it now misses some issues it used to catch. AppScan misses some stuff too. But WebInspect and AppScan are still very solid tools.

I try not to bash any tool publicly, but in line with that "stay away from Rapid-7" opinion I'll say that when I put eEye Retina through its paces in that mentioned bake-off it performed terribly. I'm guessing it got better the past couple of years, but I don't have any recent personal testing or usage to verify it one way or the other.

And in all fairness Rapid-7 has actually gotten much better the past couple of years than it was. Its new hooks into MetaSploit are also a desirable feature for some users. But it has advantages and disadvantages to similar tools like Lumension STAT Scanner and GFI LANguard. Rapid-7 also recently add some Oracle scan capabilities that STAT and GFI can't match (yet). I've used all 3 of those a bit extensively.

What I like about Lumension STAT is the ability to easily code up custom vulnerability and attestation checks (which I use extensively), and to do my own ad-hoc reporting against its back-end DB (which I also do extensively). I've not been able to duplicate those functions with Rapid-7.

I have some close friends who work for GFI, so I'd rather not give any professional or personal input on that tool. It may come across like the guy who posted a Rapid-7 link and suggestion from a rapid7.com email address (eye roll).
But each tool has pros and cons, and buyers should lay out their technical and functional requirements prior to evaluating tools and choosing one or more. That's the bottom line and is my professional advice to the person that started this thread. The product(s) that meet the needs of myself, my employer, and the environment in which I need to assess risk (and/or break into) may or may not be the best choice for your environment.

Peace,
Vic

P.S. I find the repeated appending of that Apache SSL Thawte cert spam to each security-basics inquiry and response to be really annoying. I'm just saying. I removed 3 copies of that message from this thread before hitting Send on my response.

----- Original Message -----
From: "Manuel Landron" <mlandron (at) uspsoig (dot) gov [email concealed]>
To: "Belkacem Abdessemed" <Belkacem_Abdessemed (at) rapid7 (dot) com [email concealed]>
Cc: "Voulnet" <voulnet (at) gmail (dot) com [email concealed]>, security-basics (at) securityfocus (dot) com [email concealed]
Sent: Wednesday, February 1, 2012 1:16:29 PM
Subject: Re: Best Commercial Security Testing tools

We use Nessus, GFi LANguard, Appdetective, and WebInspect. Stay away from Rapid 7.

Sent from my iPhone

On Feb 1, 2012, at 10:12 AM, "Belkacem Abdessemed" <Belkacem_Abdessemed (at) rapid7 (dot) com [email concealed]> wrote:

> www.rapid7.com
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Voulnet
> Sent: Wednesday, February 01, 2012 3:27 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Best Commercial Security Testing tools
>
> Hello, I'm trying to compile a list and get quotations for the best commercial security pentesting tools, things like Metasploit Pro, Core Impact, Acunetix.. etc
>
> Please, give me your recommendations!
>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]
Re: Best Commercial Security Testing tools Feb 04 2012 04:46PM
security (at) stealthnodes (dot) com [email concealed] (security stealthnodes com)
Re: Best Commercial Security Testing tools Feb 01 2012 06:54PM
Kalka, Jean F DOD CIV \(US\) (jean f kalka civ mail mil)


 

Privacy Statement
Copyright 2010, SecurityFocus