PRO+ Premium Content/Information Security magazine

Thank you for joining!
Access your Pro+ Content below.
January 2003

Web application security scanners: How effective are they?

You're feeling pretty good about the security of your Internet-facing infrastructure. You've been diligent about vulnerability assessments and follow-up remediation to close the holes. Your last scan, using a commercial VA scanner or freeware, such as Nessus, revealed no known vulnerabilities. The only two IP addresses visible externally are your mail gateway and the load balancer for your Web servers. Then you start thinking about the corporate sales and procurement applications that reside behind ports 80 (HTTP) and 443 (SSL). VA scanners won't touch the possible security holes in these apps--and they almost surely have them. So, what to do? One course is to make use of a relatively new class of tools, Web application scanners, which are designed to find those holes. There are only a handful of products in this space. Information Security put two of them, Sanctum's AppScan and SPI Dynamics' WebInspect, through a demanding and broad series of tests to see if they perform as advertised. A third company, Kavado, which makes ...

Access this PRO+ Content for Free!

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Features in this issue

Columns in this issue