Will Acunetix remove vulnerabilities from my web application just as my antivirus does?

Web application security vulnerabilities are very different from malware. They are programming bugs – introduced by the application creators themselves, not by malicious parties. Therefore, the only way to remove them is for the developer to fix the application.

If the vulnerability is in a custom application, written by your developers specifically for your business, only you can fix it. If the vulnerability is in a third-party application, for example, a CMS plugin, you can wait for the creators of the third-party application to fix it or your developers may fix it themselves temporarily until a safe version comes out.


Can I fix web application security vulnerabilities by patching software like in the case of vulnerabilities found by my network scanner?

If all your web applications are third-party software, for example, WordPress or Magento, you will be able to patch them after Acunetix finds a vulnerability (if a patch is available). However, Acunetix can find even vulnerabilities that the creators of third-party software don’t know about.

If you build your own web applications, those applications cannot be simply patched. Your developers will need to find a way to fix them. Acunetix will help your developers by providing links to resources that teach them how to fix typical vulnerabilities. You can also use Acunetix to double-check later if vulnerabilities have been fixed.


Will Acunetix be able to scan my web application deployed in Docker? What about Kubernetes? Will it work with nginx? What if my application is written in Ruby?

The simple answer to this question is: if your application can be accessed using a web browser, Acunetix can scan it. All you need is to provide a URL (for example, http://www.example.com/).

It does not matter what language you used to write the application. It does not matter if it’s an application written by your developers or a third-party one. It does not matter what type of server the application is installed on (e.g. Apache, nginx, IIS, or others). It does not matter if you use containers or not.

But there’s more. Acunetix can scan anything that is accessible using front-end web technologies. This means that you can also use Acunetix to scan APIs as long as you supply it with the list of URLs (for example, a Swagger file for the API).


I have been told that if I buy a web application firewall (WAF), it will be enough for web application security. Why would I need Acunetix?

Relying on a web application firewall for web application security is like taking a pain killer pill while having a serious medical issue. The pill will take away the pain but the medical issue will still be there. You need to go to the doctor to find the source of the medical issue and address it. Acunetix is your first contact doctor for the web, not a painkiller like a WAF.

Acunetix helps you find the source of the issue in the web application so your developers can address it. If you just use a WAF, your issue will be partially masked from attackers. It will be more difficult to attack your web application but not impossible.

However, if you already have a WAF or planning to buy one, you can use it the right way together with Acunetix. Read more about WAF security and the proper way to use web application firewalls.


Why would I invest in Acunetix if I could use an open-source solution instead?

Open-source web application security solutions are much simpler and much more limited than professional products like Acunetix and its commercial competitors. If you have one web application, you can use an open-source product to secure it. But if you have more web applications and, most importantly, if you want your company to grow, you will soon find out that an open-source application will not meet your needs and will hinder your web security.

Read more about why open-source web application security software is not enough for businesses.


I heard that source code scanners are the best way to secure web applications. Why would I choose Acunetix instead?

Source code scanners, commonly referred to as SAST tools, are used in slightly different circumstances than web vulnerability scanners like Acunetix, commonly referred to as DAST tools.

SAST tools are meant to be used only in automated environments, not for ad-hoc security. They require full access to the entire source code, which is often not possible, for example, if you use third-party libraries. They don’t provide the whole picture of vulnerabilities, for example, they won’t find any web server misconfigurations. They also work for only some programming languages, so you may be unable to use them for all your web applications.

There is just one advantage of source code scanners – they help with faster remediation because the developer receives the exact location of the security issue in the source code. However, if you need that kind of information, you can use the AcuSensor IAST module, which will also provide you with line numbers.


Is Acunetix enough for my web application security?

In a professional environment, we recommend that you don’t just fall back onto a single tool, even one as good as Acunetix. We recommend that you build your security by starting with Acunetix and then add more elements such as a web application firewall (WAF), a source code scanner (SAST), a software composition analysis (SCA) tool, a runtime application security protection (RASP) tool, as well as perform external penetration tests and red team vs. blue team exercises, create a bounty program, and more.

However, you don’t need all of that at the beginning. If you start with Acunetix, most of your web application security needs will be covered. You need other solutions simply to come closer to perfection when it comes to web application security.


I already have a bounty program in place. Why would I need Acunetix?

While bounty programs are an excellent element of web application security strategies, they are very inefficient if treated as the primary element. You have no control over a bounty program at all. They give no guarantees, they are not thorough, and they give a false sense of security.

Independent white-hat hackers cannot cover all your web applications and all of their functions. They will focus on vulnerabilities that are easy to find and get paid for. You may even end up paying a lot of money to hackers who used Acunetix to find vulnerabilities for you.

Read more about why you should not rely on bounty programs for your web application security.


Due to the impact of COVID-19, we reduced our web application security budget and focused on remote work security instead. Should we reconsider?

The switch to remote work, caused primarily by the COVID-19 pandemic, also means that applications need to be accessed remotely. Therefore, many internal web applications are now accessible from the outside and even more companies migrate their legacy applications to the cloud. As a result, the web application attack surface has increased greatly in 2020 – much more than in the case of endpoint security or network security.

Therefore, if you want to re-focus your IT security efforts, it is a good idea to reconsider web application security as one of the most important areas. We believe that it should be on the top of your priority list along with user education (due to the increased number of phishing attacks). Often, an attacker will find it much easier to hack your web application’s database than to try to find vulnerabilities in endpoint devices.

Read our suggestions for IT security strategy as a result of the changes brought on by the pandemic.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.