Once again, AppScan has proven to be the leader of web application security testing tools, in a recent benchmark of over 60 commercial and open-source tools published by Shay Chen.
The benchmark covered several categories aimed to help choose the web application scanner right for you. A few of the more important categories are the different input vectors a scanner is capable of attacking, the different attack vectors that are in-effect used against the site, and the coverage features included in order to successfully crawl and scan the web application.
This is the 2nd year in a row that AppScan is found to be on top, and we are of course very excited, though not surprised due to AppScan's track record.
This year's benchmark included new attack "traps" for scanners in the form of: Reflected XSS, SQL Injections, Remote and Local File Inclusions, and XSS via RFI. Where some scanners stumbled, AppScan feared-not and overcame the obstacles put in its way.
AppScan gave the Reflected XSS tests a run for their money, with 100% detection and 0% false postives!
And if we're on the subject, we can safely hint that we have some tricks up our sleeve coming your way - so stay tuned!
As for SQL Injection - AppScan managed to do an amazing job as well, with 100% detection (136 out of 136 issues), but with 3 false positives. This is, of course, something that our Security Team will be working on fixing and rolling out an update for.
The WAVSEP benchmark is a personal favorite of mine, I must commend Shay for doing such a great job across the board. I highly recommend a good read of Shay's blog post about the benchmark, as well as the summarized site.
On a side note, this benchmark didn't include Glass Box testing (IAST), an integral feature of AppScan, opening a world of capabilities in web application security scanning. I hope to see Glass Box testing being targeted in the future benchmarks.
For in-depth reading about the benchmark:
More of our posts that may interest you:
- Automated Blackbox Crawling: The Next Generation
- Enhancing Web Application Security Testing with IBM Security AppScan Glass Box
- Testing RESTful Services with AppScan Standard
- Handling Complex Scenarios with AppScan's Custom Parameters