Benchmarking of web application vulnerability scanners
As most organizations already rely on digitalization regardless of the purpose, web applications are indeed one of the digital components to reach their target audience. Due to this nature, Web Apps needed to be deployed on the public internet. Efficiency as it is, the risk of them being compromised...
Saved in:
Main Author: | |
---|---|
Format: | text |
Language: | English |
Published: |
Animo Repository
2022
|
Subjects: | |
Online Access: | https://animorepository.dlsu.edu.ph/etdm_infotech/4 https://animorepository.dlsu.edu.ph/cgi/viewcontent.cgi?article=1004&context=etdm_infotech |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | De La Salle University |
Language: | English |
Summary: | As most organizations already rely on digitalization regardless of the purpose, web applications are indeed one of the digital components to reach their target audience. Due to this nature, Web Apps needed to be deployed on the public internet. Efficiency as it is, the risk of them being compromised is very high, that is why it is imperative to have this undergo security checks before deploying.
Security testing during the early years was very costly as this was mostly done manually by professionals. Later on, vulnerability scanners were developed to lessen the workload of the testers. However, effective and easy-to-use vulnerability scanners are expensive while open-source scanners are very complex to use.
Now, there were improvements seen in open-source scanners, they started to have Graphical User Interfaces (GUI), do automated scanning, and generate comprehensive reports which are the commercial Web Application Vulnerability Scanners’ (WAVS) selling points. Yet, there were no studies that compared the performance gap of these scanners.
Thus, this research aimed to compare the accuracy and reporting capabilities of 2 commercial and 2 open-source WAVS. The evaluation was done thru Acunetix Acuart and OWASP Benchmark for accuracy and WIVET for its crawling URLs.
The results implied that open-source vulnerability scanners are already competitive enough to match the detection capabilities of commercial ones as well as the visualization of their reports. On the other hand, we also discovered incompatibility of commercial WAVS on the OWASP benchmark which caused an absence of data for comparison. Lastly, it was noted that all WAVS were not able to crawl and detect all test cases by the benchmarking tools. Therefore, scanners still cannot be fully replaced the practice of penetration testing and human validation. |
---|