Web Pen Testing Recomendations - Tools & External Contractor Recommendations [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 7 years ago.

Improve this question

I'm not sure if this is even an appropriate question for SO but I'll go ahead anyway as I'm not sure.

I've been looking at Pen Testing tools for my current project and have found a number of them but ultimately there is no getting away from taking this seriously and looking to a professional organisation or individual that specialises in performing this kind of work.

The reason for looking for tools is simply to enable me to pick off the low hanging fruit before initiating a full pen testing cycle. This should also hopefully make that process cheaper as I will hopefully have addressed all the obvious vulnerabilities.

Tools & Resources

• BurpSuite
• IBM AppScan
• nmap.org
• Nikto

Organisation & Individuals

I'm wondering if there are any resources out there that rate and review organisations performing these tasks? Are there any organisation that you could recommend that you have used previously with good results?

Answer 1

@Jammer, I am not sure if there exists such a rating that you are looking for. My personal view would be ,make a study of your requirements-whether you are looking for a certification or a compliance or just trying to increase security. Based on these criteria,you can look at the pentesting organisations and evaluate them on your own. This link may help,

http://www.ivizsecurity.com/blog/penetration-testing/how-to-choose-penetration-testing-companies/

Anyways there is always a trade off between choosing third party vendors or owning a own security team. You can go for third party consultation then have a own in-house Security Educated QA Team.

Hope this helps.

Answer 2

I am afraid some of the tools you listed are note comparable.

Burp is a proxy-scanner tool. You can intercept the traffic with burp and manipulate the request before sending to the server. Pro version has scanner for specific request you send the scanner

Nikto and Appscan are automated scanner. At the end, you need to eliminate false positives and also might have false negative results.

nmap is powerfull tool for networking stuff such as port scanning, ftp, snmp etc related searches by using scripting engine.

Additionally, using automated tools will not reduce your penetration testing costs. Because in any case you should take penetration test service before make your app public.

Reducing security costs is not a good idea, instead better to hire developers have secure coding background or apply secure development lifecycle to your development environment.

If you any other question please shoot it.