I’ve recently covered two of my favorite, yet lesser-known, Web vulnerability scanners: Acunetix Web Vulnerability Scanner and N-Stalker Web Application Security Scanner. Two worthy products indeed. Now I’d like to shed some light on HP’s WebInspect.
I’ve been using WebInspect since before testing Web sites/apps was cool. In fact, WebInspect was one the original commercial Web scanners. It may have even been the first. Anyway, I started a relationship with the folks at S.P.I Dynamics back in 2001 when I was working for an B2B marketplace startup. What a great bunch of people to know and work with. Many of those folks have since jumped ship since they were acquired by HP. 😐
The good news is that the acquisition has not bastardized the product like I assumed it might when I first heard about HP coming into the picture.
Anyway, without going into too much detail, I’ve found that WebInspect consistently finds the key Web vulnerabilities you need to know about. It’s not going to find everything – no scanner does like I talked about here. But it does tend to find vulnerabilities that no other tool – or manual analysis – can find. Well, except for a few here and there that slide by. This is why I’ve reached a point in my career that I’m realizing using multiple tools can be your security saving grace.
WebInspect also has a good toolset that they used to charge extra for it but it’s now bundled in. The following screenshot shows the basic interface of WebInspect 7 (which has since been “fixed” in WebInspect 8 just released today) along with the toolset:
WebInspect is not without its flaws or shortcomings…No security testing tool is perfect. Probably the biggest grip I have about it is the Web Brute password cracking tool. I’m still waiting for it to live up to its name (it’s a dictionary cracking tool – not a brute-force tool as the name implies). Makes you appreciate what HooBie accomplished with Brutus “way” back in 1998! As with any product (or relationship for that matter) the wise adult learns to live with it and stays focused on the positive side of things. 🙂
That said, if you’re looking for a leader in the Web security scanner space and can justify the investment definitely check out WebInspect.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”