Quick Start Guide for Acunetix 360
This quick start guide aims to get you oriented with Acunetix 360. For this scenario, you will scan one of the test websites of Acunetix. Scanning a test website can give you an idea about the capabilities of Acunetix 360.
Here are some of the things you will learn how to:
- Add a target website to your Acunetix 360 account
- Customize scan settings for your website
- Review scan results
- Integrate Acunetix 360 with an issue tracking system
- Create a scan report
Step 1: Adding a Target Website
Before scanning, you have to add a website to your Acunetix 360 account. To do this, from the main menu, select Websites > New Website. Then, you can enter the necessary information, such as name, URL, technical contact, and select Save. For further information, see Adding a Website in Acunetix 360.
For the Agent Mode, you can select the Cloud when the website is not in your internal network and is accessible publicly from the internet. If you want to scan a website in your internal network, you can select the Internal mode and install an agent.
Step 2: Launching a Scan
Now that you’ve added your website for the security scanning, you can go ahead and launch a scan. To do this, from the main menu, select Scans > New Scan. Acunetix 360 lets you start scanning with the default settings.
Using Default Settings
It provides many default configurations including Default Scan Policy with built-in Security Checks, Report Policy, Maximum Scan Duration, Scan Scope, Heuristic URL Rewrite Mode, and Notifications. This makes it easy to get started quickly. To understand the scan settings in-depth, see Creating a New Scan.
You may wish to go ahead with the default settings. After selecting the target website, you need to select Launch. Right after, Acunetix 360 will begin scanning the website.
You can monitor the progress in real-time. Also, Acunetix 360 will start reporting vulnerabilities as soon as it identifies them.
Using Customized Settings
What if you need to configure the scan settings and authentication? You may have a website that requires fine-tuning the scan settings. To meet such needs, Acunetix 360 has extensive customization options suitable for your website. The following scenario will showcase some of these extensive customization options.
- For this scenario, you need to enter authentication information so that Acunetix 360 can crawl and attack password-protected web pages. To do so, select Form > Form Authentication. As the PHP test website has a straightforward login page, it is easy to configure.
- Once you enter the login credentials, select Verify Login & Logout to make sure that Acunetix 360 can crawl and attack these web pages. If your own website has a different configuration for authentication, see Overview of Authentication.
- Next, you may wish to configure the Scan Scope. It lets you define what part of the website can be scanned. You can instruct Acunetix 360 to scan only the entered URL. That means only the supplied URL and the parameters on its page will be scanned.
- Further, you can exclude a certain part of the website from the security scanning. You can do this thanks to the regular expression (RegEx). If you wish, you can also exclude the authentication web pages from the scan. When you select the Exclude Authentication Pages checkbox, Acunetix 360 will exclude authentication-related web pages – such as login and logout – from the scan scope to prevent logging out during the scan. For further information, see Scan Scope.
- Now, you may wish to configure the scan time window. As the PHP test website is in the production environment and is accessible to visitors, you may not want to cause any disruptions. So, you can instruct Acunetix 360 to perform scanning within non-business hours. For further information, see Scanning Production Environments.
- In addition to these customizations, you may add links to have a head start in scanning and configure notifications. To understand each setting and how to configure it, see Acunetix 360 Scan Options Fields.
Remember that scan duration may vary depending on the size of the web application and the variety of security checks enabled in the Scan Policy you’ve selected.
Step 3: Reviewing Scan Results
When Acunetix 360 completes the security scanning, it notifies you with an email. In this scenario, the scanner warns you that the PHP test website is very insecure and requires immediate attention.
- Now, select View the Report Online to see the scan summary. This page lists vulnerabilities grouped by severity levels. For further information, you can review the technical report to see whether the vulnerability identified by Acunetix 360 is confirmed. Once you understand this vulnerability is confirmed, you can start working on the issue.
- You may wish to select Update to assign this vulnerability to developers. Acunetix 360 notifies them so that they can start working on this vulnerability. Or, you can select the Accepted Risk button and prefer not to work on it.
- When you want to review the progress, you can select Issues > All Issues. This page provides you a quick overview of vulnerabilities. For example, Acunetix 360 shows that the Blind SQL Injection is Fixed (Unconfirmed).
- This means a remediation action has been taken on this issue, and the issue is updated as Fixed. Now, select Issues > Waiting for Retest. Acunetix 360 notifies you that it is about to scan to confirm the remediation, and when the scan is completed, you’ll be notified.
- If the issue is fixed, the issue's state will be automatically changed to Fixed (Confirmed); otherwise, Acunetix 360 will change its status back to Present again and will assign it to the user who marked the issue previously as Fixed.
Want to create a team in Acunetix 360? See Managing Team Members in Acunetix 360.
Step 4: Integrating with Issue Tracking Tool
To handle issues easily, you may wish to integrate Acunetix 360 with an issue tracking system. Acunetix integrates with a wide range of software and tools that you can integrate into your existing SDLC processes, including vulnerability management systems, issue tracking systems, continuous integration systems, and web application firewalls. These tools help you to streamline the bug-fixing processes.
For further information about integrations, you can see Integrations.
- Let's say you set up an integration with Jira. So, you want Acunetix 360 to report critical issues to Jira once the scan is completed. Then, you can assign issue(s) to developers directly from Jira. To do so, you can select Notifications > New Notification.
- Then, you can configure bi-directional integration with Jira, so, when a developer fixes an issue and sends a merge request, Acunetix 360 tests the fix to make sure that the issue is really fixed or not. If Acunetix 360 still identifies an issue, it re-assigns the issue to the same developer. To configure this, you can select Integrations > New User Mapping. Then, select the Jira tab and complete the integration.
Step 5: Creating a Scan Report
Suppose you’ve scanned php.testsparker.com and assigned the issues to developers. While they have been working on these issues, your managers may want to view the progress. So, you need to submit a report to them so that they can glance through the report and understand your progress.
To generate an executive summary, from the Recent Scans window, you can select Report from the relevant scan. Then, select Export.
From the Report drop-down, you can select the Executive Summary. From the Format drop-down, select PDF. Then, select Export.
What if developers want to view the progress on the website? Then, you can select the Detailed Scan Report from the Report drop-down and Export. For more information about different types of reports, see Reports.
This quick start guide aims to get you oriented with Acunetix 360. Need more information about how to use Acunetix 360? Visit https://www.acunetix.com/support. Still have questions? Contact firstname.lastname@example.org.