by HNS - Monday, 22 November 2010.
Robert Abela is a Technical Manager at Acunetix and in this interview he discusses the process of choosing a web vulnerability scanner and underlines several factors that should be taken into consideration in the decision-making process.
Which is the best web vulnerability scanner out there?
This question has been haunting the web application security field for quite some time and rest assured that no one will ever give you a definite answer. What works for...
Mr A does not work for Mr B. This is because every website, or web application - as we call them today - is different. There are some scanners that perform better than others on websites developed in PHP and others that might perform better on websites developed in .NET, and so on. Also, people have different needs. Some just need a scanner to generate a PCI DSS compliance report. Others use it for consulting services, to assist them during a penetration test, and therefore need a scanner that gives them as much information as possible about the target and one that includes a good set of tools for easing the lengthy process of manual penetration testing.
How can I find out which web vulnerability scanner best suites my needs?
The best way to find out which web vulnerability scanner suites your needs is to get your hands dirty and try them out yourself against a real life website that you will be securing. Most of the software companies developing web vulnerability scanners will willingly give you evaluation licenses. There is also a good number of test websites available on the Internet which you can use to evaluate a number of web vulnerability scanners, but such test websites can never beat the real thing, i.e. your own website.
You can also find a lot of information on the Internet about web vulnerability scanners and their performance. From time to time, a number of web security researches and universities test these scanners against their test scenarios, and publish their findings online in white papers and web security articles. Such white papers and technical articles can give you a broad idea of who is on top of the game, but don’t base your decision only them. Unfortunately, they can be very misleading. I am not saying that they are wrong, or they don’t do a good job, far from it. These people are doing a very useful job, and they are helping software companies improve their web vulnerability scanners, but as explained before, you should try out web vulnerability scanners on your own websites. You’ll be surprised how differently each scanner performs on different websites.