According to OWASP (Open Web Application Security Project), web application vulnerability scanners are “…automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and insecure server configuration.” Vulnerability scanners are a subset of the Dynamic Application Security Testing (DAST) tool category.
Vulnerability scanners are an important link in any security stack. In this blog post, we’ll provide general criteria for evaluating vulnerability scanners and compare eight leading commercial and open-source products. We’ll also discuss how JetPatch integrates with a wide range of vulnerability scanners and uses their outputs in its automated patch management solution.
How to Evaluate a Vulnerability Scanner
An enterprise-grade vulnerability scanner automatically maintains a database of known vulnerabilities and constantly monitors web servers, apps, and networks for existing and potential security weaknesses. It crawls target websites or apps to discover all possible attack vectors and accesses every discovered link—including client-side scripts—with HTTP requests that are specially designed to discover potential vulnerabilities.
An enterprise-grade scanner will assess the risk level of detected issues for your organization and provide remediation guidelines—including a prioritized list of what should be patched. The scanner also alerts system or network administrators to vulnerabilities and exploits, and some can even trigger an automated patching process.
In order to find the right vulnerability scanner for your organization’s needs, there are a number of criteria that you should evaluate:
- Does the scanner support the various frameworks in which you develop and deploy your services and apps?
- Is the scanner compatible with your database backend servers?
- Does the scanner achieve near-100% accuracy in both identifying bona fide threats (true positives) as well as not blocking benign traffic (true negatives)?
- Does it provide customizable, detailed, and actionable reports?
- Can it be easily integrated into your existing development and security stacks?
Eight Leading Vulnerability Scanners
In this section, we describe eight vulnerability scanners, presented in alphabetical order. The following table summarizes their key characteristics, followed by more detailed descriptions below.
|Annual tiered license
|Web apps (basic edition) and networks (enterprise edition)
|Microsoft Baseline Security Analyzer
|Annual tiered license
|Apps of all sizes, network devices, mobile devices
|Web apps and servers
|Open-source, free, command line only
|Web servers and software
|Mobile devices, web apps, servers, private clouds
Acunetix Vulnerability Scanner
The Acunetix Vulnerability Scanner uses a multi-threaded, fast crawler in a fully automated tool that combines dynamic and static scanning technologies to detect vulnerabilities that would otherwise be missed while keeping false positives to a minimum. It uses a dedicated monitoring agent and provides a complete vulnerability management package.
- Detects 4,500+ web app vulnerabilities.
- Scans both open-source and custom-built apps.
- 100% accuracy in detecting critical vulnerabilities.
- Advanced SQL Injection and Cross-site Scripting (XSS) testing.
- Can crawl client-side single page applications (SPAs).
A five-target annual Enterprise license costs $6,995 and includes continuous scanning, issue tracker and WAF integration, compliance and other reports, and scanning for 50,000+ network vulnerabilities.
Microsoft Baseline Security Analyzer (MBSA)
MBSA is a free Microsoft IT tool to monitor Microsoft products for security patch/update compliance and common security misconfigurations. After scanning a system, MBSA presents suggestions for fixing detected vulnerabilities.
MBSA is still an essential IT security tool in any organization that uses Microsoft products. However, it must be supplemented by other vulnerability scanners in order to ensure end-to-end coverage of all OSes, apps, and infrastructures.
This is a free tool provided by Microsoft.
Nessus Professional from Tenable Network Security is a proprietary vulnerability scanning service that supports diverse operating systems, apps, databases, and network infrastructures (cloud, physical, and virtual). Nessus Professional can be configured for any combination of traditional active scans (credentialed and non-credentialed) as well as agent scans for thorough coverage with minimal latency. The results of its network probing are delivered in various formats such as plain text, XML, HTML, and LaTeX.
- Self-discovers web apps and their architectures.
- Highly automated, no-touch scans.
- Minimal false positives and negatives.
- Single-pane, unified view of all vulnerabilities.
Nessus has a one-year subscription covering up to 250 assets for ~$2,400, two-year for ~$4,600, and three-year for ~$6,800.
Netsparker is a fully automated web app vulnerability scanner that integrates tightly with SDLC and DevOps environments. Its proprietary Proof-Based Scanning™ technology automatically verifies whether or not a detected vulnerability is real, thus eliminating time-consuming false positives. It detects advanced and elusive vulnerabilities such as Out-of-Band SQL Injection, Server-side Request Forgery (SSRF) and Blind Cross-site Scripting.
- Automatically detects web services and apps.
- Accurately reports vulnerability type and variants.
- Assesses and highlights the impact of an identified vulnerability.
The yearly license for a multi-user vulnerability scanning and management license is $7,995.
The Nexpose open-source vulnerability scanner from Rapid7 is the proprietary version of Rapid7’s free Nexpose Community tool. Nexpose can be deployed on-premise or on a private cloud as a virtual or physical appliance or managed service. Rapid7 also offers a cloud-based version called InsightVM that, like Nexpose, is powered by the Rapid7 Insight platform.
Integrated with VMware, AWS, and Microsoft Azure, Nexpose automatically identifies and scans active services, open ports, and running applications across a virtually unlimited number of machines.
- Real-time vulnerability exposure based on a powerful knowledge base.
- Automatically detects new devices as they access the network.
- Its unique prioritization system takes into account the age of the vulnerability and other parameters in order to produce more meaningful risk scores.
- IT teams get the information they need to remediate issues quickly.
There is a free community edition of Nexpose. However, the Pro and Enterprise versions entail an annual licensing fee that ranges from $2,000 to $25,000+ depending on the coverage required.
Nikto, sponsored by Netsparker, is a Perl-based open-source web server scanner that assesses potential security vulnerabilities. Not a stealth tool, Nikto openly probes a web server within a minimal timeframe and is visible to log files or Intrusion Detection/Prevention Systems (IDS/IPS). In fact, Nikto can be a useful tool to test a deployed IDS/IPS.
- Automatically discovers installed web servers and software.
- Checks for: 6,700+ dangerous files and programs, outdated versions for 1,250+ servers, and version-specific issues for 270+ servers.
- Scans for server configuration vulnerabilities such as multiple index files, forgotten scripts, HTTP options, etc.
- Reduces false positives by applying multiple methods (headers, page content, content hashing).
- Reports are easily customized.
Nikto is a free command-line vulnerability scanner.
OpenVAS from Greenbone Networks is a free, cross-platform vulnerability scanner that executes 50,000+ Network Vulnerability Tests (NVTs). OpenVAS also includes a management console for configuring and running the scanner as well as for storing consolidated test results in a central SQL database.
- Supports various operating systems.
- Its scan engine and Network Vulnerability Tests are continuously updated.
- Features built-in penetration.
- Comprehensive scanner for security vulnerabilities in network servers and other devices.
Supported by a large open-source community, OpenVAS services are free of charge. However, an enterprise-grade appliance based on OpenVAS, Greenbone Security Manager (GSM), is available from a network of resellers with prices ranging from $3,400 for small infrastructures up to $135,000 for organizations with many security zones and target IPs.
Retina Network Security Scanner
Retina Network Security Scanner from BeyondTrust is a powerful open-source scanner that identifies network vulnerabilities, configuration issues, and missing patches across a range of operating systems, applications, devices, and virtual environments. The Retina NSS is available as an on-premises application, a host-based SaaS option, or part of the Retina CS vulnerability management solution.
- Accurate self-discovery of all network assets, including IoT devices and cloud infrastructure.
- Frequently updated comprehensive database that also covers zero-day exploits.
- Faster mitigation with vulnerabilities prioritized by risk level and criticality.
A Community Edition is available free of charge, limited to 256 IPs. For enterprise-grade protection, an on-premise subscription that supports unlimited IP addresses costs $1,870 per year per machine.
JetPatch and Vulnerability Scanners
Despite the strong capabilities and features of the tools described above, it is unlikely that any single vulnerability scanner will be able to meet all the needs of the fragmented and distributed network infrastructures of today. Thus, it is not unusual for multiple scanners to be integrated into an organization’s security stack, creating a whole new set of challenges around aggregating all results into an effective vulnerability management framework.
It is for this reason that JetPatch, an end-to-end automated patch and vulnerability remediation platform, was designed from the start to integrate seamlessly with any number of leading vulnerability scanners and leverage their various inputs for its automated patch management workflows. Take a look at their site to learn how JetPatch can shorten your time-to-remediation, automate your patch roll-outs, and ensure that your patch and vulnerability processes will be consistent across your entire organization.