« The new security disclosure landscape | Main | How to Turn Your Browser Into a Weapon »

Rolling Review Wrap-up: Web Application Scanners

The final review of Web application security scanners has been released by darkreading.

"As we wrap up our four-month Rolling Review series, we do want to award some partial credit. While only IBM's WatchFire AppScan automatically handled our Ajax applications, Acunetix Web Vulnerability Scanner, Cenzic Hailstorm and Hewlett-Packard WebInspect (post-update) were capable of analyzing and detecting vulnerabilities in the Ajax application, albeit only when we manually walked them through the relevant bits.

Unfortunately, that's just not good enough. Much of the value of a scanner is that it's a repeatable, exhaustive crawler. Requiring a human to replace the automated spider reduces the code coverage, and thus the effectiveness, of the scanner. So while we don't give those products a complete failing grade, they have a ways to go before they can claim to be truly Ajax-capable. Until then, expect to dig into code manually. "

Previous products
* Rolling Review: N-Stalker Web App Scanner
* Rolling Reviews: Cenzic Hailstorm
* Rolling Reviews: SPI Dynamics WebInspect

Review Link: http://www.darkreading.com/document.asp?doc_id=13563


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!