SBN

How To Benchmark a Web Vulnerability Scanner?

You’ve made the right decision to improve your web application security stance and perform regular web application scanning. However, there are several renowned web vulnerability scanners on the market and you have to choose one. How do you do that?

As a first step, you probably researched all the options and selected a list of products that may satisfy your needs. Then, you checked whether the manufacturers of these products are renowned and trustworthy and whether the products have good ratings from other customers. You probably also read a lot of feature descriptions and possibly even some support documentation for these products. You’ve requested a demo, you’ve received a trial version of the product, and now you have the tool to test. Now what?

You can, of course, begin by testing the trial version of each tool with your own websites and web applications. However, unless you have been very lax with security, you won’t find that many types of vulnerabilities and you will have no idea how effective the tool will be in the future. You can also test the tool with intentionally vulnerable websites provided by the tool manufacturer (if any) but you won’t be able to see or tweak the application code, so it might not be enough. What else can you do?

Intentionally Vulnerable Applications to the Rescue

Aspiring penetration testers and security researchers have similar problems to yours. They need some kind of a testing ground to learn and verify their skills. It would not be very efficient if they created their own vulnerabilities and then tried to discover them. That’s why they rely on intentionally vulnerable applications.

Intentionally vulnerable applications are usually developed as open-source. Most often, they come as ready-to-install packages with a local web server and a local database. You can run them in silos completely independent of your current environment. Security analysts can practice their manual skills on such applications but these apps are just as good for evaluating web vulnerability scanners. Even professional benchmarkers use such applications as a basis for scanner evaluation.

Here are the most notable examples of renowned and continuously developed intentionally vulnerable web applications. We’ve also prepared step-by-step guides for each of them to show you how to use them to benchmark Acunetix.

There are more such applications available on the web. However, the above three are a good starting point. We will gladly show you how to configure Acunetix so you can thoroughly scan any testing environment. Get a Demo today.

THE AUTHOR
Tomasz Andrzej Nidecki
Technical Content Writer

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.


*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/-k7Xwx1-zoM/