[WEB SECURITY] RE: Web Application Scanners Comparison

Martin O'Neal martin.oneal at corsaire.com
Wed Jan 28 16:16:37 EST 2009

> I know some of you disagree - 
> but maybe we can get some 
> intelligent discourse around this?

maybe... :)

I personally don't think there is any only one way to test a web app, in
the same way that there isn't only one way to develop it.

Targeted testing is good, but may provide limited coverage for the time
expended.  Whilst crawling can be a bit of a blunderbuss, but can
pick-out obscure stuff that you'll not typically find by any other
approach, unless you spend a disproportionate amount of time manually
analysing every page in infinite detail.

The best balance is a little of column A and a little of column B (*),
which is where the value of a person driving the process beats a
point-and-click tool every time.

We regularly provide assessment projects to clients that have bought and
use one of the web scanners within their dev or QA teams, and when we
come back with a collection of show-stopper issues that weren't picked
up by the scanner, we have to take a deep breath and explain that
marketing material may not be entirely true.   

The real problem here though is perception.  A web scanner isn't an
assessment; it may support one, but it isn't one of itself.  Buying one
and expecting it to find all the issues in every app is unrealistic.
Selling it as doing so is pants-on-fire material. :o


(*) tm Dave Ryan, all rights reserved.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list