Vulnerability Scan tool for windows

lnrivera
lnrivera used Ask the Experts™
on
Hi,

I'm looking for a vulnerability scan tool to check webpages and servers.

I see that nessus now is not free,  please somebody could send me any suggestion (free or cheaper) scan tools that runs in a windows client?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have you tried the Microsoft Baseline Security Analyzer?

http://technet.microsoft.com/en-us/security/cc184923 

Author

Commented:
We need to scan web servers of any kind of OS.

The windows requirements is only to install the tool

thanks

Author

Commented:
In any case, If is there a really good tool that only runs in linux, of course, I can use it too

Thanks
Paolo SantiangeliConsulente Informatico

Commented:

Author

Commented:
As I said in my first message, I think that nessus are a bit expensive for a little company, is there any special license cheaper? How much you pay for starter license?
Commented:
http://projects.webappsec.org/Web-Application-Security-Scanner-List
 
Commercial Tools:
----------------------
Acunetix WVS by Acunetix
AppScan by IBM
Burp Suite Professional by PortSwigger
Hailstorm by Cenzic
N-Stalker by N-Stalker
Nessus by Tenable Network Security
NetSparker by Mavituna Security
NeXpose by Rapid7
NTOSpider by NTObjectives
ParosPro by MileSCAN Technologies
Retina Web Security Scanner by eEye Digital Security
WebApp360 by nCircle
WebInspect by HP
WebKing by Parasoft
Websecurify by GNUCITIZEN




 
Software-as-a-Service Providers:
------------------------------------------
AppScan OnDemand by IBM
ClickToSecure by Cenzic
QualysGuard Web Application Scanning by Qualys
Sentinel by WhiteHat
Veracode Web Application Security by Veracode
VUPEN Web Application Security Scanner by VUPEN Security
WebInspect by HP
WebScanService by Elanize KG



Free / Open Source Tools:
-------------------------------
Arachni by Tasos Laskos
Grabber by Romain Gaucher
Grendel-Scan by David Byrne and Eric Duprey
Paros by Chinotec
Andiparos
Zed Attack Proxy
Powerfuzzer by Marcin Kozlowski
SecurityQA Toolbar by iSEC Partners
Skipfish by Michal Zalewski
W3AF by Andres Riancho
Wapiti by Nicolas Surribas
Watcher by Casaba Security
WATOBO by siberas
Websecurify by GNUCITIZEN
Zero Day Scan


I use Backtrack, Nikto, Nessus, Paros, ike, SARA,  skipfish, opensource packages and appscan IBM. I do most of  the scan from a Linux client machine. Appscan is a good one but its expensive. Read
http://www-01.ibm.com/software/awdtools/appscan/
https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
http://msdn.microsoft.com/en-us/library/ff650760.aspx
https://www.owasp.org/index.php/Main_Page
btanExec Consultant
Distinguished Expert 2018
Commented:
OpenVAS - http://www.openvas.org/
Its public feed of Network Vulnerability Tests (NVTS) is something useful to keep up to date (to the OpenVAS server used to scan your targets). Also see this link for quick info as well

@ http://www.zdnet.com/blog/security/openvas-emerges-as-free-alternative-to-nessus/1715

It can also extract or activate Nikto (Open Source (GPL) web server scanner) scans through plugin module - check out the document

@ http://wald.intevation.org/frs/download.php/558/openvas-compendium-1.0.1.pdf

Some other good information include

a) Web Application Security Scanner Evaluation Criteria (WASSEC) - covers areas such as crawling, parsing, session handling, testing, and reporting - http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria

b) OWASP Prevention Cheat Sheet  - https://www.owasp.org/index.php/Cheat_Sheets

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial