![]() That doesn't mean you don't do any manual testing if the automated tools don't find anything, you still do the manual testing regardless, but if launching a Netsparker scan that takes me exactly five minutes to launch instantly finds me 5 XSS's, that's 5 XSS's I can immediately tell my client about. A real world pentest isn't a CTF, when we get contracts to test a new custom-built application or some technologically illiterate company asking for a pentest of their 10-year-old website and unpatched internal network, we can get DA in a 10 minutes Nessus scan quickly getting us a MS017-010 in the case of internal testing or get a ton of low-hanging fruits with a web app vulnerability scanner. If you're not using a vulnerability scanner to GO ALONG with your manual testing, you're intentionally making the job longer and harder on yourself for no good reason. They don't provide any results in and of itself Right now the only other choice that ticks all the boxes (other than our tried and true Netsparker) seems to be Qualys. We also like the thick client for web application testing on internal networks (intranets, etc.). It seems a lot of vulnerability scanners have moved to models where you integrate it into your dev pipeline and run scans on your application with a per-site license, which obviously doesn't work well for us with the amount of scans we have to do every year. We've tried a bunch over the years and for the past couple of years we've been using Netsparker and we're mostly pleased with it, but our license is about to expire and we're exploring the other choices and was wondering what you guys use. For quick wins/vulnerability assessment on internal and external tests we use Nessus and we also tried it out a couple years back for web testing but the web application scanner felt very lackluster compared to the rest. ![]() ![]() ![]() Tried to make the title as concise as possible, so to put it more in context, we're a pentesting company that does pentesting for basically everything under the sun (though it is about 80% internal/external/web) but for web applications specifically, we get around ~100 contracts/year. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |