Network Computingwww.networkcomputing.com

Rolling Review: Acunetix Finishes Strong

Posted by Jordan Wiens on October 5, 2007

Tags: Ajax Rolling Review,  Jordan Wiens,  Web application scanner,  data privacy,  secure development practices,  Acunetix Ltd. Web Vulnerability Scanner,  Corporate Data Security,  Data Protection,  Data Security,  Security and Privacy

Channel: Data Protection

The Upshot Web application scanners in this Rolling Review must not only find traditional vulnerabilities, like XSS and SQL injection flaws, but also handle Ajax applications, in which part of the app is running locally in the browser. Complex Ajax apps represent a new twist for these products, and we don't recommend purchasing a scanner that isn't able to handle Web 2.0 environments, given that so much future development is moving in that direction. And, Web application scanners should be just one element in a comprehensive, layered program—educating developers and integrating security reviews into the development lifecycle are just as crucial. Acunetix puts together a complete package that escapes most of the flaws and bugs other products were tripped up by. It's not superlative in anything, but it also doesn't have any big weaknesses. Its Ajax support was better than some, but still doesn't meet our standards. Acunetix Ltd. Web Vulnerability Scanner

If there's such a thing as seminars on product naming, marketing managers for N-Stalker's Web Application Security Scanner 2006 Enterprise Edition and Acunetix's Web Vulnerability Scanner Enterprise must have attended the same session. Fortunately for Acunetix, a descriptive name is where the similarities end. While N-Stalker did not fare well in this Rolling Review, Acunetix topped off a nearly trouble-free experience with a full feature set and accurate findings.

We found WVS the smoothest, easiest to use Web application scanner in this Rolling Review series. Almost everything worked exactly as it should, with no fiddling of options or calls to support required. This is a surprisingly rare occurrence but one that we as reviewers welcome—and not only because it saves us work. More importantly, we know our readers will have a good experience. There's nothing like buying an expensive piece of software only to feel like you're paying for the privilege of beta testing.

Of course, there's more to scoring well in a review than avoiding interface bugs and configuration quirks and catching the (relatively) simple vulnerabilities in our sample applications. Our requirements also include the ability to expose advanced features and capabilities for users who have the know-how to really dig deep into an application. WVS is not quite the most flexible or powerful product in the group in that regard, but it compares well. With the expected set of built-in utilities (HTTP Request Editor, Fuzzer, Password Brute force tool and more), WVS is missing only a few of the flashier features of the most extensible products.

This article is part of NWC's Rolling Review of Web Applications Scanners. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now.

One product feature that will appeal to advanced users is the ability to generate custom checks. While all the products tested offer this capability, the tool included in WVS is both powerful and easy to use. We could quickly build requests and analyze responses without, say, knowing JavaScript, as Hailstorm checks require.

Interface bugs and GUI standouts are sometimes cheap targets for reviewers. It doesn't take much testing, after all, to report on how pretty a program looks or the fact that certain actions took too many clicks. And yet, usability issues are important. If a product is troublesome to interact with or get results from, that wasted time eventually adds up to man-hours down the tubes that might represent the difference in price for a more expensive product.