With the modern cybersecurity threat landscape continuously changing, one of the best ways for organizations to keep up with the onslaught of security vulnerabilities is through penetration testing their websites and web applications for serious vulnerabilities such as SQL Injection and Cross-site Scripting (XSS). The most effective way of automating a lot of the work carried out in manual penetration testing is through the use of a black-box vulnerability scanner.
Black-box scanners work over the HTTP/HTTPS protocol and do not require access to the application source code. Moreover, since a black-box web application vulnerability scanner does not know anything about the application it is attacking, it closely mimics the behaviour of a real attacker. This makes black-box web vulnerability scanners ideal for automating web application security in large and complex organizations where manual vulnerability testing would not be able to scale quick enough to cope with the speed at which security issues are introduced within code.
Automated black-box security scanners like Acunetix allow organizations to scan anywhere from a handful, to thousands of web applications and web services quickly, cost effectively and, most importantly, continuously.
Industry Leading Technology Coverage
With Acunetix, security teams can setup scheduled automated black-box scans, to test for thousands of web application vulnerabilities and web server misconfigurations.
Speed without sacrificing flexibility
Additionally, unlike many other external vulnerability scanners, Acunetix is lightning fast. With a re-engineered core, and a highly optimized crawler, every inch of Acunetix is tuned for speed and efficiency, allowing it to scan hundreds of thousands of web pages without breaking a sweat.
What’s more, Acunetix can save the progress of a scan mid way, pause it, and resume it later on from where it left off entirely automatically. This is a crucial for time boxed testing or when scanning enormous web applications with time restrictions.
Easy Reporting and Issue Tracker Integration
Another issue that Acunetix solves over some other web application security testing tools is the ability to instantly generate a wide variety of technical and regulatory and compliance reports such as PCI DSS, HIPAA, OWASP Top 10 and many others. Additionally, Acunetix allows users to export discovered vulnerabilities to Issue Trackers such as Atlassian JIRA, GitHub, GitLab, Bugzilla, Mantis, and Microsoft Team Foundation Server (TFS).
Frequently asked questions
A black-box scanner is a web vulnerability scanner that tests the web application from the point of view of a potential attacker. It is also often called a DAST scanner (dynamic application security testing). Black-box scanners do not need access to the application source code and they can scan any type of web application, no matter what technology it was built with.
A white-box scanner (also called a SAST scanner – static application security testing) must have access to the application source code and must support all languages and technologies used to build a web application. White-box scanners are only used when you build applications and they are known to report a lot of false positives. However, they can reach fragments of code that are not used in the application yet.
Grey-box testing merges the advantages of black-box and white-box testing. A grey-box scanner may either be a white-box scanner with some black-box functionality or, more advantageous, a black-box scanner with a white-box module that analyzes the source code or the byte code. Grey-box testing is often called IAST (interactive application security testing).
Acunetix may be used as a black-box scanner or as a grey-box scanner. By default, Acunetix is a black-box scanner but its module called AcuSensor introduces grey-box scanning capabilities. AcuSensor is available for PHP, Java, and .NET.
Learn more about prominent vulnerabilities, keep up with recent product updates, and catch the latest news from Acunetix.
“We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.”Kurt Zanzi, Xerox CA-MMIS Information Securtiy Office, Xerox