No one is saying don't do manual testing, that's like 90% of the job, but you gotta make up this weird strawman in your head to fuel your misplaced superiority complex. but the CEH gave me a more advanced training on these tools and more, like Armitage, Metasploit, Burp Suite, Namp, Zenmap, Nessus, and many more. Data Security Standard (PCI DSS) Executive and custom Nikto, Burp Suite. This idea that vulnerability scanners are bad and evil and nobody should use them and people who do don't do any manual testing is so strange. Perform powerful penetration testing using Kali Linux, Metasploit, Nessus.
That doesn't mean you don't do any manual testing if the automated tools don't find anything, you still do the manual testing regardless, but if launching a Netsparker scan that takes me exactly five minutes to launch instantly finds me 5 XSS's, that's 5 XSS's I can immediately tell my client about.
BURP SUITE VS NESSUS SOFTWARE
A real world pentest isn't a CTF, when we get contracts to test a new custom-built application or some technologically illiterate company asking for a pentest of their 10-year-old website and unpatched internal network, we can get DA in a 10 minutes Nessus scan quickly getting us a MS017-010 in the case of internal testing or get a ton of low-hanging fruits with a web app vulnerability scanner. Compare price, features, and reviews of the software side-by-side to make the best choice for your business. If you're not using a vulnerability scanner to GO ALONG with your manual testing, you're intentionally making the job longer and harder on yourself for no good reason. They don't provide any results in and of itself Right now the only other choice that ticks all the boxes (other than our tried and true Netsparker) seems to be Qualys. We also like the thick client for web application testing on internal networks (intranets, etc.). PortSwigger Burp Suite Enterprise Edition is rated 10.0, while Tenable Nessus is rated 8.4.
It seems a lot of vulnerability scanners have moved to models where you integrate it into your dev pipeline and run scans on your application with a per-site license, which obviously doesn't work well for us with the amount of scans we have to do every year. PortSwigger Burp Suite Enterprise Edition is ranked 14th in Vulnerability Management with 1 review while Tenable Nessus is ranked 3rd in Vulnerability Management with 47 reviews.
BURP SUITE VS NESSUS LICENSE
We've tried a bunch over the years and for the past couple of years we've been using Netsparker and we're mostly pleased with it, but our license is about to expire and we're exploring the other choices and was wondering what you guys use. For quick wins/vulnerability assessment on internal and external tests we use Nessus and we also tried it out a couple years back for web testing but the web application scanner felt very lackluster compared to the rest. Tried to make the title as concise as possible, so to put it more in context, we're a pentesting company that does pentesting for basically everything under the sun (though it is about 80% internal/external/web) but for web applications specifically, we get around ~100 contracts/year.
0 kommentar(er)
