"The range of products calling themselves "security scanners" is so
broad that the designation is flirting with irrelevance. You have your
vulnerability assessment software, which uses large databases of known
vulnerabilities. Then there are penetration-testing applications that
focus on fewer vulnerabilities but include the ability to exploit flaws
instead of just identify them. More relevant to this Rolling Review are
Web application scanners, which attempt to uncover problems in newly
developed software–before they get exploited.
As an added twist in this review, we've focused our testing on
Ajax applications. We've already evaluated Hewlett-Packard(HP)'s
WebInspect (formerly from SPI Dynamics) and Cenzic's Hailstorm. Both
are Web application vulnerability scanners aimed primarily at crawling
new Web apps looking for exploitable flaws. Sure, they're able to
detect some common misconfigurations within Web servers and languages,
even pick up a few stock bugs in known programs. But that's not their
primary focus."
Article Link: http://www.informationweek.com/news/showArticle.jhtml?articleID=201803341&subSection=All+Stories
