tag:blogger.com,1999:blog-3792178847867987053.post3552660977046894029..comments2024-03-16T01:36:47.926-07:00Comments on Security Tools Benchmarking: The 2012 Web Application Scanner BenchmarkShay Chenhttp://www.blogger.com/profile/16490521389991462247noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-3792178847867987053.post-72064193477302781292016-01-16T01:24:31.127-08:002016-01-16T01:24:31.127-08:00WebCruiser Web Vulnerability Scanner 3
http://lob...WebCruiser Web Vulnerability Scanner 3<br /><br />http://lobatandawgs.com/104-webcruiser-web-vulnerability-scanner-3.html<br /><br />http://shanghaiblackgoons.com/107-webcruiser-web-vulnerability-scanner-3.html<br />viewspkhttps://www.blogger.com/profile/02522833090080869297noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-33930007128240946572014-02-12T08:16:17.749-08:002014-02-12T08:16:17.749-08:00Hi Thomas,
first of all - a new and more updated b...Hi Thomas,<br />first of all - a new and more updated benchmark was published last week - you can access it through the following link:<br />http://sectooladdict.blogspot.co.il/2014/02/wavsep-web-application-scanner.html<br /><br />The WIVET score is good to determine how good the scanner will identify the structure of the application *automatically* - at the worst case scenario.<br /><br />So, if for example the WIVET score is 10%, the application has 100 web pages which are all vulnerable to a number of URLs that the scanner can identify, and crawling the application is very difficult due to the technology,<br />the scanner will be able to crawl about 10% of the pages, and scan them for vulnerabilities... all the rest will not be tested.<br /><br />Please take into consideration that this explanation *highly* simplifies the meaning of the WIVET score for the purpose of associating value to it, and in reality, the scanner may crawl anything from 0% to 100%, depending on technology. WIVET is a great score to measure how well it will adapt to different technologies - and isn't related directly to accuracy, more to coverage.Shay Chenhttps://www.blogger.com/profile/16490521389991462247noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-2420862708498083192014-02-12T04:52:25.408-08:002014-02-12T04:52:25.408-08:00Hi Shay,
Great article! I have a question to inte...Hi Shay,<br /><br />Great article! I have a question to interpret the list the right way. In which relation do the accuracies stand to the WIVET? For example for the w3af: Are those 35.29% the accuracy from the whole application or only from those 19% of WIVET?<br /><br />Hope you understand my question :) Thanks a lot!Anonymoushttps://www.blogger.com/profile/01340045193019401917noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-42626353818324811612013-10-08T15:15:48.696-07:002013-10-08T15:15:48.696-07:00Shay,
My name is Riaan Gouws and I am the CTO of...Shay, <br /><br />My name is Riaan Gouws and I am the CTO of <a href="http://www.quatrashield.com" rel="nofollow">Quatrashield</a>. First, I think you deserve much credit for the important service that you provide our industry. This detailed article is testament to your passion in this field. <br /><br />I would like to ask you to also consider including our web application vulnerability scanner – QuatraScan - in your next benchmark study. Based on our own testing, we believe that our false positive rate puts us in the first tier of vendors and we are hopeful that sectooladdict can validate this as well.<br /><br />I am happy to provide as much info as is needed. <br /><br />Thanks, Riaan. Riaan Gouwshttps://www.blogger.com/profile/05869875905644620580noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-70980080571133937842013-09-17T10:41:25.248-07:002013-09-17T10:41:25.248-07:00It is so good that I found this post. Now I have t...It is so good that I found this post. Now I have the ideal how to check my site security.<br /><br />Thank you. David Yinhttps://www.blogger.com/profile/00222881981411298025noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-68483897640425017912013-07-23T10:18:37.994-07:002013-07-23T10:18:37.994-07:00Shay,
Thank you for this extremely in-depth analy...Shay,<br /><br />Thank you for this extremely in-depth analysis of the different types of web application security scanners available. I personally prefer Veracode for application security testing (which is #20 on the list of Forbe's most promising companies in America) because of their dynamic analysis tool and clear reporting. Black Diamond Solutions is actually offering a <a href="http://blackdiamondsolutions.com/partner/veracode/" rel="nofollow">free application security scan</a> on the Veracode platform. Hope this helps! Anonymoushttps://www.blogger.com/profile/05058203383668549938noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-48781876612398295602013-06-08T06:31:58.750-07:002013-06-08T06:31:58.750-07:00Shay,
Excellent analysis. I was starting out look...Shay,<br />Excellent analysis. I was starting out looking for the same answer, is it value for money to have a commercial Web Vulnerability Scanner rather than an open source? Comparing scanners is like going to a dance and meeting very attractive people, picking one is hard. The long term future is a decider. Keeping up to date with the forks is also difficult. ZAP is a fork of version 3.2.13 of the open source variant of Paros. Vega looks good. IronWasp impressive. Tough choices. The bit I liked is your ability to put yourself in the Consultants role. - scanning an unrestricted amount of IP addresses. Commercial suppliers have trouble with this role.<br />Thanksparkbenchbrucehttps://www.blogger.com/profile/05785232335025984257noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-84708461961997862972013-04-10T06:17:10.159-07:002013-04-10T06:17:10.159-07:00Hello,
thank you for your excellent article, Do ...Hello, <br /><br />thank you for your excellent article, Do you have a benchmarking or vision of Source Code Security Analyzers (HP fortify static code analyser,IBM security Appscan Source, Find Bugs, ...) and what is the product that you recommend<br /><br />Thanks<br />Hocine<br /><br />Anonymoushttps://www.blogger.com/profile/05141075551189973851noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-80486217871297862452013-03-11T12:50:17.640-07:002013-03-11T12:50:17.640-07:00Shay,
Your research is comprehensive and was reall...Shay,<br />Your research is comprehensive and was really helpful for me in evaluating both commercial and open-source tools. Your selection of assessment criteria was useful for the majority of vulnerabilities/features and it makes comparing the results a bit easier. <br /><br />One recent update that I found was regarding ZAP, which extended the results using ZAP 2.0.0 (released in January 2013) against WAVSEP, as reported in the following link:<br /><br />http://code.google.com/p/zaproxy/wiki/TestingWavsep <br /><br />I look forward reading your updates and analysis on this research and which conclusions you will reach. <br /><br />Thanks,<br /><br />Itay<br />Anonymoushttps://www.blogger.com/profile/08710407250610007031noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-54061060569741933362013-01-28T01:11:08.031-08:002013-01-28T01:11:08.031-08:00Thanks you can contact me via email dan - orvant.c...Thanks you can contact me via email dan - orvant.com if you have any question or comments when you take a look.dwozhttps://www.blogger.com/profile/13541086191980439564noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-64157877711134831202013-01-23T14:51:32.484-08:002013-01-23T14:51:32.484-08:00Will take a look at the next benchmark, somewhere ...Will take a look at the next benchmark, somewhere around May.Shay Chenhttps://www.blogger.com/profile/16490521389991462247noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-88929039102498064422013-01-23T12:19:40.222-08:002013-01-23T12:19:40.222-08:00Hello, I am am Co-Founder of Orvant. I think our S...Hello, I am am Co-Founder of Orvant. I think our <a href="http://www.orvant.com" rel="nofollow">Securus vulnerability scanner</a> would make a worthy addition to the list. One thing that is unique about Securus is that we leverage many of these tools as well as add our own special sauce on top. Our intent is to provide you with the greates test ant threat coverage as possible. As well as the flexability to decide what tools are worth running and being able to run a side by side comparison helps.<br />dwozhttps://www.blogger.com/profile/13541086191980439564noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-80388920703071389742012-11-25T22:36:51.188-08:002012-11-25T22:36:51.188-08:00Awesome Article!!!!
Awesome Article!!!!<br /><br />Anonymoushttps://www.blogger.com/profile/08550941459721907621noreply@blogger.comtag:blogger.com,1999:blog-3792178847867987053.post-90818545153227141282012-11-05T23:33:40.263-08:002012-11-05T23:33:40.263-08:00I am security guy, too. While planing to pen test,...I am security guy, too. While planing to pen test, I found your excellent article. I really appreciate it for your work!dikienhttps://www.blogger.com/profile/11830215290353025824noreply@blogger.com