Free AppScan Trial
I found this in my spam today, a free trial of AppScan. Pretty cool, actually. I like to see companies putting their products on the line for peer review. Of course it’s to get business - I would assume the majority of IT people who get that spam are interested in fixing their machines rather than finding issues with vulnerability assessment and security theory in general.
Still, good to know that companies are doing this. What would be even better though is to get some real statistics on how good each of these scanners are and what they are good and bad at. How hard is something to hack once it’s been tested by these various tools? Isn’t that the real statistic? Not how many vulnerabilities it finds, but rather how hard is it to break into your site after having been scanned.
October 27th, 2006 at 2:18 pm
You’re absolutly true… the real question is:
Are theses tools finding real vulnerabilities ? Do theses black box scanning tools have enough good patterns for injection ?
Basically, they only analyse the results they found… I mean, for real application this kind of tool has to be coupled with a static analysis tool… That’s why I’m sceptical about the only utilisation of thes black box testing tools.
October 28th, 2006 at 7:32 pm
Some of our “penetration testers” use AppScan as a tool of choice. From what I have seen it is good at some things and not so good at others. The newer version is better, but there are still too many false positives IMHO.
Static analysis of the code (if that is what was meant above) is another great method of site testing. IF you can get ALL of the code, and the configurations, and what you analyize is what is actually running on the site. I have written some tools for this, and seen some commercial ones.
There really is no substitute for a knowlegable live person looking at the site, reading ALL the traffic, and thinking like a determined ATTACKER, not a TESTER. Fancy tools or not, the best “hackers” will find the vulnerabilities and PROVE an attack is possible.
October 30th, 2006 at 2:14 am
Great - you have 7 days to hammer their testsite. Pretty senseless. Thanx for the info anyway!
October 30th, 2006 at 9:37 am
Really? Oh, that’s lame. I thought it was the ability to scan anything for 7 days. Bummer, that’s a worthless trial then.
October 31st, 2006 at 4:54 am
I gotta take back what i posted - if you contact their sales their will craft you a license key which enables the software to scan whatever site you want - for seven days. And - i must say - i like the software more than A**netx for instance.
October 31st, 2006 at 10:09 am
That’s better… I’d love to hear a review of them compared with other things you’ve tested. I’m always interested in why vendor X is better than vendor Y (and preferably not simple arguments like the cost).
October 31st, 2006 at 12:27 pm
.mario: Hum, because you can inject lots of stuff in their demo website which is awfull, I guess you can… include an iframe in the search box, then, include the website you want…
December 25th, 2006 at 7:01 am
watchfire called me and told me about the free trial of appscan.
i know this is months after, but i wanted to post information about why i think they did this, even though it has a 7 day trial.
basically, you can have the scanner and then put the license key into it later to activate it. watchfire sells “pen-tester” licenses that are active for 2 weeks and cost something like $1500. works nicely if you have a client to pass the T&M costs to. i thought it was interesting, at least.
December 25th, 2006 at 8:47 am
Was it any good? What did you think of it compared to some of the open source/free scanners?