Testing for vulnerabilities is just one part of a wider secure software development life cycle. While manual testing has great value, the use of automated tools is necessary to assist with anything but the smallest of applications. But which tools should you use?
The results of a comparison of dynamic web application vulnerability scanners has just been published by Shay Chen. 2012 Web Application Scanner Benchmark updates a similar study undertaken in 2011 and compares ten different aspects of the tools.
The analysis examined 11 commercial tools and a slightly larger number of maintained free/open source tools and provides a superb reference for anyone undertaking a selection process. The results are presented in a dozen web pages at http://sectoolmarket.com/.
Of course what matters is the coverage, false negative rate, false positive rate and the features you need for your own style of applications.
See also the comparative studies in the other papers referenced, but especially Analyzing the Accuracy and Time Costs of Web Application Security Scanners, Larry Suto, February 2010 (and discussion/responses) and the SAMATE bibliography.
Posted on: 22 July 2012 at 15:06 hrs