Web Application Security Testing

RedWolf

Golden Member
Oct 27, 1999
1,064
0
76
We are starting to look at web application security and have been talking to someone at IBM about IBM (webfire) Rational Appscan. It seems to be fairly pricey compared to some of the others in our admittedly limited searching.

Has anyone got suggestions for programs to do web application security testing? We're only just beginning our search and there doesn't seem to be a lot of information/reviews out there. I've seen a couple of pages that have some information but it looks to be out of date.

http://www.softwareqatest.com/qatweb1.html#SECURITY
http://sectools.org/web-scanners.html

We are a small IT department so our scans would be fairly limited in the number of people who will perform a scan (maybe three people) and are looking at the developer version of appscan (which is limited to one person). Our budget is tight but we also want something that is simple to use and works well. I'd say our main concerns are sql injection and general server security. We are a mostly windows shop but do have a couple of ubuntu servers.
 

Zugzwang152

Lifer
Oct 30, 2001
12,134
1
0
My company is about to purchase AppScan. I did the initial evaluation and was pleased with the results and usability of the app. The configuration is easy and straight-forward, and has a wizard if you dislike diving in to the full config page. The remediation advice is very good, and gives the developer the full background on a particular vulnerability, helping them see the big picture in addition to giving them the bottom line instructions on what to fix.

The reporting is excellent, and contains many useful modules. I happened to use the OWASP top 10 and HIPAA reports during my test scans, but there's also SOX and numerous other regulatory reports available, both US and Canadian.

You may want to look at HP WebInspect, which is the only other product I was going to evaluate, until we got AppScan in thrown with our larger IBM contract for (practically) free which removed the need to evaluate anything else.

While you're debating, Scrawlr is a nice free utility from HP. It's limited to searching for SQL injection, but if it finds a bunch of stuff on your sites, you can take quicker action to resolve.