Automated Web Application Scanners

Interesting reading around open source vs commercial and the future of web application scanning. From the Watchfire blog there is a good discussion with an interesting post and some good comments.

A near perfect web application security site testing tool is a difficult thing to achieve, I liken it to the elusive antivirus heuristics which occasionally pops up - yet we are still reliant upon signature based methods for Antivirus and Malware detection. At present the online tools here at are also based around scanning for known issues with particular configurations or applications / servers. SQLiX does do a crawl of your site looking for obvious SQL injection points and is pretty good at picking up the obvious ones.

The tools we have here such as OpenVas and Nikto, and of course Nmap are the best at what they do. However they will not fully test your custom built web application for security holes.

For a real test of custom web code, nothing can beat trained and experienced web application testing specialists doing manual tests with a little help from some specific tools.


--> IBM Application Security Article