WebApp Throwdown!

WebApp Scanning Throwdown!

Starring: Nexpose Enterprise, Nessus 4.2 Professional Feed and Core Impact v10

The Victim: http://demo.testfire.net/ (Sorry IBM… not!)

Revised: 1/19/2010


Important Follow-up!

I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.

Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there’s not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.

 I feel the most important conclusions that can be drawn from this comparison are:

  1. You can’t rely on one tool to find all your issues
  2. You need to make sure your tools are properly configured for maximum results
  3. No tool will find everything, but it will be a good indicator you may need to take something apart to look at it more closely