Comments on: Why HP is wrong about the Web Security Lifecycle http://www.mypentest.com/web-security-lifecycle/ Penetration Testing Web applications Sun, 23 Nov 2008 13:50:05 +0000 http://wordpress.org/?v=2.5.1 By: Larry Smith http://www.mypentest.com/web-security-lifecycle/#comment-243 Larry Smith Sat, 15 Nov 2008 02:09:34 +0000 http://www.mypentest.com/?p=41#comment-243 I think points about WebInspect are fair but WebInspect was adopted by pen testers and security teams long before the development lifecycle was part of the picture for these tools. QA Inspect is actually identical to WebInspect under the hood in that they share exactly all of the identical capabilities except in the area of certain interactive testing modes like step mode. As a matter of practice I recommend that users of QA Inspect consult with WebInspect users and when required scan with WebInspect. QA Inspect helps to automate the process for a qa tester but complex application scans cannot be peformed blindly and thats the major difference between the tools.. the QA Inspect scan result cannot be viewed except as a set of defects in quality center or to import them into and view them with WebInspect... DevInspect on the other hand increases the code coverage of testing by combining static analysis with the black box testing methods of WebInspect... anyway, good comments,, thanks for the thread I think points about WebInspect are fair but WebInspect was adopted by pen testers and security teams long before the development lifecycle was part of the picture for these tools. QA Inspect is actually identical to WebInspect under the hood in that they share exactly all of the identical capabilities except in the area of certain interactive testing modes like step mode. As a matter of practice I recommend that users of QA Inspect consult with WebInspect users and when required scan with WebInspect. QA Inspect helps to automate the process for a qa tester but complex application scans cannot be peformed blindly and thats the major difference between the tools.. the QA Inspect scan result cannot be viewed except as a set of defects in quality center or to import them into and view them with WebInspect… DevInspect on the other hand increases the code coverage of testing by combining static analysis with the black box testing methods of WebInspect…
anyway, good comments,, thanks for the thread

]]> By: rada http://www.mypentest.com/web-security-lifecycle/#comment-238 rada Tue, 04 Nov 2008 16:32:25 +0000 http://www.mypentest.com/?p=41#comment-238 Thorough study and analysis! Is there any comparable difference between QAinspect and the IBM Appscan? If you have analysed it, please let me know. Thanks Thorough study and analysis! Is there any comparable difference between QAinspect and the IBM Appscan? If you have analysed it, please let me know.
Thanks

]]> By: Gareth Davies http://www.mypentest.com/web-security-lifecycle/#comment-19 Gareth Davies Wed, 09 Jul 2008 12:45:51 +0000 http://www.mypentest.com/?p=41#comment-19 I do not think that diagram should be a fluid one as it is shown. I think they are pitching WebInspect as a standalone product to test against current WebApplication that were not developed or tested using the other two products. Good read though! I am trialing DevInspect at the moment and really like it, however I am finding it hard to get some pricing information. I do not think that diagram should be a fluid one as it is shown.

I think they are pitching WebInspect as a standalone product to test against current WebApplication that were not developed or tested using the other two products.

Good read though!

I am trialing DevInspect at the moment and really like it, however I am finding it hard to get some pricing information.

]]> By: Linden http://www.mypentest.com/web-security-lifecycle/#comment-18 Linden Sun, 22 Jun 2008 09:37:59 +0000 http://www.mypentest.com/?p=41#comment-18 HP should really push WebInspect to be used both in the Test and Production stages of the SDLC. Compliance standards often necessitate testing of in-production systems so there is some merit to what HP is saying. To make the "proper" diagram even harder to draw, compliance standards such as PCI DSS, necessitate code revision on a minimum quarterly basis as well as whenever a code change has been made - thus DevInspect can be pitched as useful within the Production stage too! HP should really push WebInspect to be used both in the Test and Production stages of the SDLC. Compliance standards often necessitate testing of in-production systems so there is some merit to what HP is saying.
To make the “proper” diagram even harder to draw, compliance standards such as PCI DSS, necessitate code revision on a minimum quarterly basis as well as whenever a code change has been made - thus DevInspect can be pitched as useful within the Production stage too!

]]>