[WEB SECURITY] which is the best web application vulnerabilityscanner

Michal Zalewski lcamtuf at coredump.cx
Wed May 4 15:55:17 EDT 2011


> 1. In corporate environments you cannot only download any tool (specially freeware ones) and run it, those need to be approved tools or at least it should be that away, I cannot imagine a Company allowing its users to download/run anything they want.

If corporate "security" policies prevent the actual security team from
leveraging security testing tools, then... you probably have a problem
more significant than selecting the right tool ;-)

> 3. Scanners run in a Corporate environment must be allowed by IDS/IPS, WAF, so on to go through and reach the target, as you know, every scanner has a http header that identifies it with the Network, with your approach, the Networking Team, will need to allow different scanners in the network, by the way, also those could be the ones from malicious guys.

Ditto if you whitelist access to your systems based on HTTP header layout ;-)

/mz




More information about the websecurity mailing list