A website is made of hundreds of lines of code, written by one or many developers. But all developers are not experts in cybersecurity, and even if they were, they remain humans, fallibles; which is why there are no impregnable sites, impervious to the most motivated hackers.
Code audits are expensive, and cannot reasonably be exhaustive. And even if they were, there are chances for the auditor to miss some subtelties, or a combination of vulnerabilities giving unexpected results.
There are thus automatic scanners, which can peruse your code and detect an huge part of the trivial or publicly known vulnerabilities, allowing the auditor to focus on the most complex ones. These web application security scanners then provide you with a report, allowing you to correct your code and thus bring the vulnerabilities that are the most easy to exploit to light.
NBS System, notably within the frame of its very high security Cloud offer CerberHost, regularly uses somes of these tools to analyze its client’s websites to better protect them. Of course, our experts can do these verifications themselves. However, the advantage of these “external” scanners is their automated and programmable characteristics ; eventually, they are used to scan the sites, regularly and completely autonomously. Thus, you can protect your website during all its life against common vulnerabilities by correcting the problems detected by the scans, without having to regularly deal with these simple but time-consuming verifications. The specialists are then free to focus on less obvious problems.
Our experts studied for you the different scanners available on the market, and now share their analysis with you.
We classified the products into 4 categories:
- Our recommendations
- The « stars »
- For non-technical people
- They did not convince us
Our cybersecurity consultants were particularly convinced by 2 autonomous scanners: Acunetix and Arachni.
There are, however, a few major differences between Acunetix and Arachni:
- Acunetix: detecting, amongst other things, many SQL and XSS vulnerabilities (two widely-used compromission vectors), and with very few false positives, it has excellent results. Little advantage, it provides a module, to be placed on the server’s side, that indicates precisely in which line of code a vulnerability is located, and what its causes are; a big saving of time which tipped the scale for our experts. It also has a webservice scanner, which is not the case for most of the other scanning tools. The licence can be bought for 4000€, and using the tool then costs 800€ a year.
- Arachni: if your profile is more “opensource”, Archni is made for you! This framework, free by definition, is coded in Ruby and has excellent detection results in all categories. It also has an auto-learning module to adapt to the complexity and changes of applications. Its big advantage is that it natively deals with the load-balancing: it is possible to add (and delete), on the fly, machines to the scan, enabling to distribute it and thus to multiply its power. This functionnality is particularly useful to scan big websites that require a lot of resources. Unfortunately, this tool sometimes lack a little finish.
The « stars »
There are also good scanners, developed by IT giants; their price, however, is proportional to their fame…
- Appscan: It is a software developed by IBM, costing 37000$ per licence, then 17000$ per year. It is a complete software, kind of like the SAP suite.
- Webinspect: developed by HP, Webinspect is also a giant, able to be distributed, to deal with roles and compliance, that can be embedded with other HP products, etc. The price is not disclosed, one can thus only imagine the cost of this solution…
These two behomoths are unsuitable for most companies.
For non-technical people
The best option if you are not technical is to scan your website with Vega, the open-source software developed by Subgraph. Our team was really surprised (and convinced) by this unpretentious software, which does its work and does it well. Free and intuitive, it generates a non-technical report for the website, understandable for everyone, in order to accompany you in the securisation of your website.
They did not convince us
- Tinfoil Security: with this tool, for 200$ a month you will benefit from an external scan per week for your site (only valid on 1 website). It is a software as a service (SaaS) framework, which makes it a more devops-oriented application. If you have a tight budget and a technical team, don’t hesitate to send them an e-mail, their support team is very nice.
- Netsparker: for 6000$ a year, this scanner is quite useful to “clear away” the obvious vulnerabilities. It is unfortunately not customizable. Furthermore, even if it claims to be false positive free, in the facts we notice false positives concerning SQL injection vulnerabilities.
All existing solutions were not analyzed or mentioned here, but this little study can help you make a decision matching your resources, your company’s size, the number of websites to scan, your technical capacities… However, it is important to realize that these tools, however efficient, will never replace the expertise of a cybersecurity specialist. A website is never 100% secure, but choosing the right partners and not neglegting this aspect will save you from many disappointments.
Source: Julien Voisin