Elza: I know professionals who still use this for testing, albeit it’s a bit outdated. For example, I think Nikto (built on libwhisker after whisker) replaced a lot of its functionality, as did screamingCobra. Around the same time, Sanctum and spiDYNAMICS did the whole commercial plays.
After web application security scanners started to become popular in the most elite circles, more vendors appeared on the scene, and prices went up. This led a lot of small security boutiques to take one of two directions:
1) Work with a vendor and provide “free” bug-reporting, feature requests, and false positive identification work in exchange for a free copy of the tool
2) Switch to open-source tools such as Burp Suite, Paros, or Wapiti (i.e. back to the “Elza” days)
After Acunetix announced a free version of their WVS scanner for XSS only, the “script kiddie” crowd we all know and love entered the scene. This has driven a lot of application security service companies to increase their efforts in hybrid or composite analysis/review. In turn, this has created five new types of web application security service offerings:
1) WASS+SCA (HP DevInspect, IBM AppScan DE)
2) SCA+WAF (Fortify RTA)
3) WASS+WAF (Imperva, WhiteHatSec+F5/Breach)
4) WASS+SCA+WAF (Just in idea-phase right now)
5) WASS+SCA+Fix (HP SecureObjects)
August 25, 2008 at 12:26 am
More on load/performance testing: http://sixrevisions.com/tools/faster_web_page/
Elza: I know professionals who still use this for testing, albeit it’s a bit outdated. For example, I think Nikto (built on libwhisker after whisker) replaced a lot of its functionality, as did screamingCobra. Around the same time, Sanctum and spiDYNAMICS did the whole commercial plays.
After web application security scanners started to become popular in the most elite circles, more vendors appeared on the scene, and prices went up. This led a lot of small security boutiques to take one of two directions:
1) Work with a vendor and provide “free” bug-reporting, feature requests, and false positive identification work in exchange for a free copy of the tool
2) Switch to open-source tools such as Burp Suite, Paros, or Wapiti (i.e. back to the “Elza” days)
After Acunetix announced a free version of their WVS scanner for XSS only, the “script kiddie” crowd we all know and love entered the scene. This has driven a lot of application security service companies to increase their efforts in hybrid or composite analysis/review. In turn, this has created five new types of web application security service offerings:
1) WASS+SCA (HP DevInspect, IBM AppScan DE)
2) SCA+WAF (Fortify RTA)
3) WASS+WAF (Imperva, WhiteHatSec+F5/Breach)
4) WASS+SCA+WAF (Just in idea-phase right now)
5) WASS+SCA+Fix (HP SecureObjects)
Also see: http://www.stoev.org/elza.html