OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Which Commercial Web App Scanner?

From: Roman Medina-Heigl Hernandez (romanrs-labs.com)
Date: Fri Oct 16 2009 - 02:39:54 CDT


Dan Anderson escribió:
> 2009/10/15 Roman Medina-Heigl Hernandez <romanrs-labs.com>:
>> PS: Norma, if you discarded Appscan due to its price then forget WebInspect
>> too!. It will also be more difficult for you to get an eval version from a
>> big company like HP or IBM, than from smaller ones (I'd evaluate Acunetix,
>> if I were you).
>
> FUD.

Mmmmm... let's see...

> http://www.ibm.com/developerworks/downloads/r/appscan/standarded.html?S_TACT=105AGX23&S_CMP=rnav

"With the evaluation license you can scan only a test Web site, Altoro
Mutual at http://demo.testfire.net."

When I say "evaluation" I mean a *real* evaluation. If you consider that
launching the app against a specially and "carefully prepared" environment
is sufficient to evaluate a product then I wouldn't hire you to perform an
eval job :) Please, let's be serious, Dan.

> https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__

Same applies here. Now try to contact them for any tech (or non-tech)
question about its product, evaluation conditions, eval license extension, etc.

This case is real: I had 1-2 weeks to perform some quick eval and tried to
contact them using the page you provided (or similar, I don't recall; you
are not the only one who knows how to fill in a Google form and hit the
enter key). I never got it... because when a person was (supposedly) ready
to send me the eval license, 3-4 weeks had spent and I was out of my eval
time, so I aborted it :)

It is so simple: big company == more burocracy == more time.

> Two seconds with Google is your friend.

Two seconds reading the former URLs, or (more time to) simply trying to ask
for a real eval opportunity, and you could avoid embarrassing yourself in a
public mailing-list :)

Cheers,
-Roman

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------