Transcript Choosing the Best web app security Scanner

 Chirita Ionel
 Application Security Analyst @
 OWASP Chapter board member
 Wide Coverage
 Fast scans
 Low number of false positives
 Low number of false negatives
 Scalability
 Easy to use
 Permanent vulnerability database updates
 To be Cheap !?
 Hardware Requirements & support
 Protocol support
 Authentication
 Session management
 Crawling
 Data Parsing
 Testing
 Command and control
 Reporting
 Thick client vs cloud
Transport support
Proxy support
 HTTP1.0 & HTTP1.1
 SSL/TLS
 HTTP1.0 & HTTP1.1 proxy
 HTTP keep alive
 Socks 4 proxy
 HTTP compression
 Socks 5 proxy
 HTTP user agent configuration
 PAC file support
 Basic
 Digest
 HTTP negotiate – NTLM & Kerberos
 Html form-based
 Automated
 Scripted
 Non-automated
 Single sign on
 Client SSL certificates
 Other
 Session management capabilities
 Start a new session
 Detect if the session is expired
 Reacquire session token
 Session management token type support
 HTTP cookies
 HTTP parameters
 HTTP URL path
 Session token detection
 Session token refresh policy
 Define starting URL
 Define additional hostname or exclusions for specific criteria
 Support automated from submission
 Detect error pages and custom 404 pages
 Redirect support
 HTML
 JavaScript
 VBScript
 XML
 Plaintext
 ActiveX Objects
 Flash
 Schedule scans
 Pause / resume
 Real-time status of running scans
 Run multiple scans simultaneously
 GUI, CLI and web based interface
 Extensibility & interoperability
 Executive summary
 Technical detailed report
 Delta reports
 Compliance report
 Customization
 Report data file format
 Why do you mean by “best” ?
 Or the cheapest ?
 By Larry Suto
 … running each vendor's
scanner against each of the
vendor's test sites and
comparing the results
Falsely Reported and
Missed Vulnerabilitites
Vulnerability Findings
Trained
Point & Shoot
False Negative
HP Webinspect
False Positive
HP Webinspect
Qualys
Qualys
NTOSpider
NTOSpider
Hailstorm
Hailstorm
BurpSuite
BurpSuite
IBM Appscan
IBM Appscan
Acunetix
Acunetix
0
20
40
60
80
100
120
140
160
0
20
40
60
80
100
120
Vuln's Found
Vuln's Missed
FP's Reported
160
140
120
100
80
60
40
20
0
Acunetix
IBM Appscan
BurpSuite
Hailstorm
NTOSpider
QualysHP Webinspect
 By Chirita Ionel
FP's reported
IBM
Qualys
WebInspect
Vuln's Found
Veracode
Acunetix
IBM
FP's Rported
Qualys
WebInspect
Veracode
Acunetix
Vuln's Found
0
2
4
6
8
10
0
2
4
6
8
10
Scan Time
IBM
Qualys
WebInspect
Stability
Veracode
Acunetix
IBM
Scan Time
Qualys
WebInspect
Veracode
Acunetix
Stability
0
2
4
6
8
10
0
2
4
6
8
10