If you’re choosing a web application vulnerability scanner for the first time, or struggling to get the most out of Nessus’ web application plugin, here’s why you should be considering Acunetix.
Tenable Nessus is one of the oldest and most widely used network scanners around. The once open source network scanner is one of the go-to network security scanners for many penetration testers — so why bother looking at other tools at all? Nessus unlike Acunetix, is a scanner focused on detecting network layer vulnerabilities. Nessus is perfectly suited towards detecting network vulnerabilities, open ports and helping with patch management by detecting un-patched versions of Unix, Linux and Microsoft Windows and other host based vulnerabilities. However, it was not originally designed for website and web application vulnerability scanning.
On the flip-side, Acunetix was, from day one built specifically to scan websites and web applications for vulnerabilities. Such examples of vulnerabilities detected by Acunetix include SQL Injection, Cross-site Scripting (XSS) and Local File Inclusion (LFI). These vulnerabilities, unlike the ones commonly detected by Nessus are exploitable purely over HTTP. This means that most traditional network infrastructure controls such as firewalls and network segmentation are not typically sufficient at mitigating web application vulnerabilities.
Keen observers may note that Nessus does include some web application testing functionality. While these tests are a good first step at catching any glaring low-hanging fruit, they are not nearly as detailed, rigorous or configurable as automated web application tests carried out by Acunetix.
Acunetix is especially ideal if you’re looking for a Nessus alternative with a specific focus on web security vulnerability assessment. Like Nessus, Acunetix is easy to install and has a simple user interface accessible through a regular web browser. It’s also simple to keep up to date and can easily be accessed from any browser at any time.
Industry leading technology coverage
Acunetix has a relentless focus on delivering the signal from the noise, and as such, does not waste your time with false positives. Moreover, it can detect advanced security vulnerabilities such as Blind Cross-site Scripting (Blind XSS) and Out-of-band SQL injection (OOB SQLi), whilst also being blazing fast thanks to it’s AcuMonitor and DeepScan technologies.
With Acunetix, information security teams can setup scheduled automated penetration testing scans, to discover thousands of web application vulnerabilities and misconfigurations. They can then quickly and easily generate reports highlighting what actions need to be taken in order to improve their security posture.
In addition to dynamic, black box scanning (DAST), Acunetix, unlike Nessus, allows you to conduct gray box (IAST) scans thanks to AcuSensor. AcuSensor is a sensor that can be installed on the web server for Java, ASP.NET and PHP web applications. This brings together the best of dynamic testing, together with feedback from sensors within the source code whilst it is in execution.
Speed not at the expense of accuracy
With nearly any type of black-box scanning, there is generally a tradeoff between speed and accuracy. With a re-architected core, and a highly optimized crawler, the Acunetix key feature is speed without sacrificing accuracy. This allows it to scan enormous web applications containing hundreds of thousands of pages quickly, without reporting a sea of false positives.
Integrations with third-party penetration testing software like PortSwigger BurpSuite and Web Application Firewalls (WAFs) such as Imperva SecureSphere and F5 Big-IP ASM make it easy to import and export crucial data in formats that matter to getting vulnerabilities fixed.
We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.