Wednesday, March 14, 2007

On Web App Scanners

Dark Reading today covered SPI's announcement of AMP 3, their clone of AppScan Enterprise.

I haven't seen AMP, so for me to bag on it is a little unfair. But to me, the notion of automated scanning and reporting at the web-app level seems like a flawed idea. So to be clear, I'm not picking on AMP, but rather AMP and all of the other products like it.

I totally see the value of doing web-app security testing. But I worry that the click-n-fire scanning that these "enterprise" products offer is getting companies to pay more money for less depth by sacrificing quality for quantity. Regular scans are great, but it is my opinion that these products will find the low-hanging fruit and miss other vulnerabilities. Not because they can't find some of the more difficult vulns, but because the out-of-the-box scans come in two flavors; noisy, and incomplete. We already have this at the network level. Are companies ready to admit defeat at the app level already, too?

No comments: