Chirita Ionel Application Security Analyst @ OWASP Chapter board member Wide Coverage Fast scans Low number of false positives Low number of false negatives Scalability Easy to use Permanent vulnerability database updates To be Cheap !? Hardware Requirements & support Protocol support Authentication Session management Crawling Data Parsing Testing Command and control Reporting Thick client vs cloud Transport support Proxy support HTTP1.0 & HTTP1.1 SSL/TLS HTTP1.0 & HTTP1.1 proxy HTTP keep alive Socks 4 proxy HTTP compression Socks 5 proxy HTTP user agent configuration PAC file support Basic Digest HTTP negotiate – NTLM & Kerberos Html form-based Automated Scripted Non-automated Single sign on Client SSL certificates Other Session management capabilities Start a new session Detect if the session is expired Reacquire session token Session management token type support HTTP cookies HTTP parameters HTTP URL path Session token detection Session token refresh policy Define starting URL Define additional hostname or exclusions for specific criteria Support automated from submission Detect error pages and custom 404 pages Redirect support HTML JavaScript VBScript XML Plaintext ActiveX Objects Flash Schedule scans Pause / resume Real-time status of running scans Run multiple scans simultaneously GUI, CLI and web based interface Extensibility & interoperability Executive summary Technical detailed report Delta reports Compliance report Customization Report data file format Why do you mean by “best” ? Or the cheapest ? By Larry Suto … running each vendor's scanner against each of the vendor's test sites and comparing the results Falsely Reported and Missed Vulnerabilitites Vulnerability Findings Trained Point & Shoot False Negative HP Webinspect False Positive HP Webinspect Qualys Qualys NTOSpider NTOSpider Hailstorm Hailstorm BurpSuite BurpSuite IBM Appscan IBM Appscan Acunetix Acunetix 0 20 40 60 80 100 120 140 160 0 20 40 60 80 100 120 Vuln's Found Vuln's Missed FP's Reported 160 140 120 100 80 60 40 20 0 Acunetix IBM Appscan BurpSuite Hailstorm NTOSpider QualysHP Webinspect By Chirita Ionel FP's reported IBM Qualys WebInspect Vuln's Found Veracode Acunetix IBM FP's Rported Qualys WebInspect Veracode Acunetix Vuln's Found 0 2 4 6 8 10 0 2 4 6 8 10 Scan Time IBM Qualys WebInspect Stability Veracode Acunetix IBM Scan Time Qualys WebInspect Veracode Acunetix Stability 0 2 4 6 8 10 0 2 4 6 8 10