>>>> See the most recent results of the 2012 WAVSEP benchmark! <<<<
Shay Chen, an Information Security consultant and blogger, recently published the latest results of his ultra-thorough web application security scanner comparison. The survey, covered 60(!) different open source and commercial scanners, and summarized some of the most critical features and capabilities of each scanner, such as:
- Audit features and capabilities
- Active vulnerability detection features
- Complementary scanning features (passive analysis, known issues, etc.)
- Usability, Coverage and Scan Initiation Features
- Authentication, Scan Control and Connection Support Features
- Advanced and Uncommon Features
- Accuracy benchmark (performed against WAVSEP)
- Cross-site scripting success & false positives rate
- SQL Injection success & false positive rate
Needless to say, AppScan Standard Edition led the pack in most aspects - especially around Audit Features and Scanning Capabilities, where no other scanner came even close:
This course no was not a surprise to us - AppScan Standard has been around since the year 1999, and is an extremely mature product - it is capable of scanning *any* type of application, and can be customized to work on every kind of environment it faces (non-standard URLs, RESTful applications, JSON, JavaScript frameworks and AJAX, Adobe Flash/Flex, SOAP web services, etc.).
On the accuracy front - when it comes to detecting Cross-site Scripting (XSS), AppScan performed flawlessly, and ranked #1:
100% detection rate for all of the reflected XSS test cases, and 0% false positives on the false positive test cases (WAVSEP includes special test cases, attempting to trick the scanner to false positive, and AppScan did not fall for that...).
In the SQL Injection tests, AppScan performed extremely well (although did not rank #1), it managed to find 127 issues out of 136 (93.38% success rate), with 3 False Positives out of the 10 False Positive test cases.
- Needlees to say, this will be improved and fixed as soon as possible, so that we rank #1 in SQLi as well.
- We did demo the next release of AppScan Standard to Shay Chen, which includes a promising new technology capable of dramatically increasing the detection rate for such issues - the results were astounding - 100% success rate (136/136), and 0% false positives! so - stay tuned!
To sum things up, Shay has done an excellent work compiling and comparing a huge amount of scanning tools. I strongly recommend that you review this work, and download each of the comparison sections - it contains all the information needed in order to choose which product better suits your needs.
Last but not least, I would like to mention that the XSS test cases, did not cover DOM-based XSS, one of my favorite topics recently. AppScan is still the only scanner capable of performing true hybrid analysis (harnessing dynamic scanning capabilities with real JavaScript taint analysis) to locate a long list of client-side JavaScript issues.
>> Direct link to the scanner comparison page <<
Comments