With the immense popularity of open-source software such as Linux, WordPress, or Magento, you might wonder why the situation is so different in the world of web application security. Let’s try to compare open-source vulnerability scanners with commercial solutions and it will soon be clear why businesses shy away from open-source web application security tools.

Open-Source and IT Security

A lot of popular IT security software is distributed using open-source licenses. Most penetration testing tools such as nmap or Wireshark are open-source. There are also advanced solutions such as the Snort IPS/IDS and the OpenVAS network vulnerability scanner (an offshoot of Nessus). So why is it different in the case of web application security?

The quality of open-source web application security tools lags behind commercial products. While there are small businesses that say that open-source tools are enough for them, even they tend to change their mind when they grow.

Here are some of the reasons why open-source web application security tools cannot measure up to professional solutions such as Acunetix.

Reason 1. Ease of Use

When the first web security scanners appeared, they were meant to be used manually to perform vulnerability tests. They were intended for security experts – penetration testers, security researchers, etc. Therefore, ease of use was never a very important factor because experts understand web application security well enough to figure out how to get the most out of the software. This trend still prevails with manual tools.

In time, the intended audience for web vulnerability scanners shifted. People without deep security knowledge also needed them, for example, system administrators that were tasked with handling security in smaller businesses, DevOps administrators setting up agile SLDCs, or even developers themselves. Why not just security personnel? For one simple reason – security needs are growing so fast that there aren’t enough security professionals to hire. There’s a major cybersecurity skill gap, which is expected only to worsen with time. Therefore, more and more security tasks have to go to people who have less training and who rely on good automated tools.

Unfortunately, the development of open-source tools did not follow this trend. Open-source web vulnerability scanners remained rather difficult to use, similar to many other open-source tools.

Reason 2. More than Vulnerability Scanning

Open-source web application security tools are, by design, just vulnerability scanners. However, businesses need much more than pointing a tool at a web server and getting a list of vulnerabilities. You cannot fix all vulnerabilities at once – a business must know which vulnerabilities should be given priority because they pose a bigger security risk. You also need to manage the process of fixing and rechecking.

Professional web application security tools such as Acunetix are not just scanners – they are also vulnerability management and vulnerability assessment tools. They assess vulnerability severity so that you start by fixing important issues like SQL injections or cross-site scripting and only then spend time on non-critical misconfigurations. They also provide both built-in issue management and out-of-the-box integrations with popular issue trackers such as Jira.

Reason 3. Keeping Up with Growth

The third reason why open-source web application security tools are not a good fit for businesses is related to the rapid development of web application security. A business cannot afford to wait until open-source project teams find some time to add new vulnerability classes, new functionalities, or support for new web frameworks. The importance of web application security grows fast – simply because more and more businesses move from on-premises solutions to virtual environments (the cloud). This also means that criminals are very interested in keeping up with the latest developments and finding new ways to take advantage of vulnerabilities.

Software vendors that are fully focused on web application security, such as Invicti, have a unique advantage: they can fully focus on keeping up with web technologies and trends. This is not only an advantage over open-source tools but also over other commercial providers. Many web security tool vendors focus primarily on network security scanners, which are all about signatures and patching, and shy away from the complexities of modern web application security. They simply cannot keep up. Acunetix can.

Reason 4. Hidden Costs of Open-Source

Many businesses that work with open-source tools know very well that there are certain hidden costs associated with free software. In software, free means no help and no support, except for community support. For example, businesses that choose the Linux operating system to replace Windows often subscribe to third-party support programs. This makes free software no longer free and, in the long run, often more expensive than commercial alternatives.

Of course, the need for support is different for different software classes. A simple word processor might not need as much support as a complex IT security solution. Due to their nature, web vulnerability scanners may need some support with initial configuration issues and even more support if you intend to automate tasks and integrate the tools with your current environments.

Without support, open-source web vulnerability tools are just manual pen testing tools for security researchers – they help identify security threats and that’s where the story ends.

Reason 5. False Positives in a Vulnerability Scanner

False positives are the biggest pain point of web application security. This is because web application security mostly deals with custom code. If you have a false positive identified by a network vulnerability test, this does not affect your developers and usually just means that the patches you apply to software or network devices are not critical. In a web application security scenario, you can either double-check every vulnerability found using a scanner and consume the resources of the pen testing team or you can risk that the developers will be hunting ghosts, trying to fix a problem that does not exist.

That is why one of the most important criteria for selecting a web security scanner is how it handles false positives. If the scanner can, in some way, prove that the vulnerability exists, it means that the issue can go straight to the developer for a fix – there’s no need for manual confirmation. Open-source scanners (and several commercial products, too) don’t have such capabilities. Every reported issue is just a potential vulnerability, not a real one. On the other hand, Acunetix can mark the vulnerability as 100% confirmed and in many cases provide you with proof such as a copy of sensitive data that should not be accessible.

Worse still, the problem of false positives does not just grow linearly with the number of web applications and the development of your business. The bigger your business and the more applications you have, the worse the impact of false positives on your resources. So if you’re looking towards the future, you simply cannot afford to use a tool that will hinder your growth, such as a basic, manual, open-source web security scanner.

Can You Afford Free?

Open-source software is a great starting point if you’re a learner, an independent researcher, or a small start-up (for example, if you have less than 5 web applications in total). However, if you intend to grow, sooner or later you will notice that open-source software is no longer enough and even if it identifies web security vulnerabilities, it cannot help you fix them. And, ultimately, the goal of web application security isn’t to point out vulnerabilities but to eliminate them.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.