I’m happy to announce the availability of a new WASC project I have been working on for a long time – WASSEC:
The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing, and reporting.
The goal of the WASSEC is to create a vendor-neutral document to help guide web application security professionals during web application scanner evaluations. This document provides a comprehensive list of features that should be considered when conducting a web application security scanner evaluation. Different users will place varying levels of importance on each feature, and the WASSEC provides the user with the flexibility to take this comprehensive list of potential scanner features, narrow it down to a shorter list of features that are important to the user, assign weights to each feature, and conduct a formal evaluation to determine which scanning solution best meets the user's needs.
The aim of this document is not to define a list of requirements that all web application security scanners must provide in order to be considered a "complete" scanner, and evaluating specific products and providing the results of such an evaluation is outside the scope of the WASSEC project. Instead, this project provides the tools and documentation to enable anyone to evaluate web application security scanners and choose the product that best fits their needs. NIST Special Publication 500-269, "Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0", contains minimal requirements for mandatory and optional web application scanner features. This document can be found at https://samate.nist.gov.
Some of the sharpest minds in the webappsec industry contributed to this (group) effort, and I hope you will find it useful when evaluating scanning products. If you’d like to discuss this document in person, I will be at the OWASP AppSec DC conference next month, and would gladly answer any questions you might have.