WebApp Scanning Throwdown!
Starring: Nexpose Enterprise, Nessus 4.2 Professional Feed and Core Impact v10
The Victim: http://demo.testfire.net/ (Sorry IBM… not!)
Revised: 1/19/2010
Important Follow-up!
I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.
Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there’s not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.
I feel the most important conclusions that can be drawn from this comparison are:
- You can’t rely on one tool to find all your issues
- You need to make sure your tools are properly configured for maximum results
- No tool will find everything, but it will be a good indicator you may need to take something apart to look at it more closely