With all the talk lately, especially in the OWASP LinkedIn forum, about the most expensive web scanners being the so-called best, Infosec Island have put the far more affordable Web Vulnerability Scanners to the test.
By using two well known web applications that were purposely developed with vulnerabilities in order to facilitate web application testing and research (Damn Vulnerable Web Application (DVWA) and the IBM AppScan demo site called Testfire), it was time to see whether these claims were accurate and to determine the weaknesses and strengths of more affordable options. InfoSec Island’s Mark Baldwin put them to the test.
“Fortunately, in recent years, two companies have developed commercial webapp scanners that rival the features, the speed, the usability and the accuracy of any commercial tool on the market. And they do it at a price point that just about any small business or independent consultant can afford”, said Baldwin.
So what did they have to say about these scanners, including Acunetix? “The strength of Acunetix lies in its ability to quickly detect a wide variety of vulnerabilities with little need for advanced tuning and configuration. However, for those who desire more control over the tests and like to get their hands dirty, Acunetix provides the flexibility and built-in tools that even the most advanced pen testers will appreciate. ”
Acunetix Web Vulnerability Scanner proved impressive. “With Acusensor enabled, Acunetix detected 8 of the 9 specifically crafted vulnerabilities in DVWA.” It did this without any false positives, “Both Netsparker and Acunetix did a very good job of not reporting false positives. None of the reported vulnerabilities in my tests were discovered to be false positives.”
It looks as though those claiming that the most expensive web vulnerability scanners are the best need to re-think their position! You can read the full independent review by Mark Baldwin over at Infosec Island, here.