In this age of Web 2.0-based attacks, companies are turning to a variety of Web application security scanners to help them find and fix security holes. But according to a study conducted by independent security consultant Larry Suto, some of these scanners are overlooking quite a few vulnerabilities.
The report is accessible via the ha.ckers.org blog and looks at three tools in particular — NTOSpider, AppScan (IBM/Watchfire) and WebInspect (HP/Spi Dynamics). Of the three, he said:
— NTOSpider found 227 vulnerabilities with zero false positives.
— AppScan (IBM/Watchfire) found 27 vulnerabilities with five false positives.
— WebInspect (HP/Spi Dynamics) found 12 vulnerabilities with 13 false positives.
Now, to be fair, this is based on one man’s research and isn’t necessarily the ultimate verdict on how effective these tools are. I should also point out that the study was flagged by the vendor who fared best, NT OBJECTives Inc. CEO Matthew L. Cohen.
My purpose for flagging this is to get a discussion going among researchers and users alike as to which Web application scanning tools they use and which ones are the best or worse.
I want to pinpoint the common strengths and weaknesses of these tools and hopefully offer IT professionals some useful guidance as a result. This is a terribly important topic, given all the Web 2.0 threats we’ve been writing about of late.
So don’t be shy — let me know what you think.