Scanning for OWASP vulnerabilities is an ideal starting point for website security. Online businesses usually need scanning tools that can find the top 10 vulnerabilities before they can even consider looking at other security loopholes.
The Open Web Application Security Project or OWASP is a global, not-for-profit charitable organization that helps provide guidelines for application/software/website security with a list of vulnerabilities to focus on. The latest list of these vulnerabilities for online scanning tools was released last year:
- A1: Injection.
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management.
- A4: Insecure Direct Object References.
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration.
- A7: Insecure Cryptographic Storage.
- A8: Insecure Deserialization
- A9: Using Components with Known Vulnerabilities
- A10: Insufficient Logging & Monitoring
So, if you are looking for a scanner that can find and report these vulnerabilities to help your company keep data, customers, and websites safe, we have just the list you should be looking at. Here are our top OWASP web scanning tools for 2018:
Detectify, as a company and as a scanner, has revolutionized the way website vulnerability scanning works. It offers you the promise of one of the best detection services that is built by some of the best white hat hackers from around the world.
When Detectify was first building their product, they crowdsourced the project to top hackers and has been continuously perfecting it eve since. Below are some of the reasons why you would want to invest in a tool like this to find OWASP security loopholes on your website:
- Built by top ranked white-hat hackers
- Fully-automated tests to look for SQL injections, XSS and 700+ other vulnerabilities
- Global security community with combined intelligence to ensure threat detection
- Intuitive and easy-to-use UI that integrates with development process to ensure that all products are save at all stages of the SLD cycle
- Option to invite colleagues and security researches to discuss and share knowledge on a central repository
- No limits on number of pages that are scanner by the tool
- AWS cloud infrastructure to ensure availability and scalability at the highest level
- 6-step scanning process
- Over 700 types of tests to find each kind of vulnerability
- Customize tests and export reports
This OWASP testing tool is best suited for medium to large companies that that want comprehensive security, way beyond just simple automated tests to find what hackers can exploit on the website.
Although there are a lot of new players coming in the OWASP scanning market, Qualys still remains as one of the most popular choices specially in the North American region. It promises robust and continuous detection of top vulnerabilities along with misconfigurations with the app that can lead to security breaches. Apart from the OWASP Top 10 detection services, Qualys’ tool can also detect different website malware including the ones that notoriously corrupt your server files or throw spam popups on the website.
- Finds and catalogs vulnerabilities on all the apps in your network
- Tagging feature to categorize issues and for the ease of reporting and control
- Deep scanning feature providing instant visibility on common yet malicious vulnerabilities like SQLi and XSS
- programmatic scanning of SOAP and REST API services
- Malware detection looks for infected code for remediation
- A central dashboard that displays information on scan, vulnerability and malware status
- Test IoT services and mobile apps as well as API-based business-to-business connectors, with Qualys WAS’ SOAP and REST API scanning capabilities
- Easy deployment on public or private clouds for scalability and control
Qualys’ web application scanning is available for free trial but most of the plans are apt for medium to large scale businesses.
Tenable is on our list for its ability to work around all kinds of programming language. The scanner is more than capable of handling security scan requests on HTML5 and AJAX web applications along with the tradition HTML apps. The automated tests look for common OWASP security loopholes and report them through a central dashboard. With categorization of found vulnerabilities in ‘Critical’, ‘High, ‘Medium’, and ‘Low’ buckets, your team has the work cut out for them.
- Define and custom select the part of website to be scanned
- Scan capability for HTML5, HTML and AJAX web applications
- Category buckets based on severity of the found vulnerability
- Unified reporting view to prioritize remediation and keep Birdseye view on what is happening around
Tenable also has a free trial version for companies looking to test the product first. This scanning solution is apt for companies of all sizes.
Acunetix is probably the oldest solution on the list. Trusted by many online businesses, this security scanning automatically checks for OWASP issues including XSS (Cross-site Scripting), SQL Injection and more. Although there is a newer online version of the scan available, the company is more driven to sell the ‘Desktop’ download software, which might not be the preference for most online companies today.
- Automatic checks for XSS, SQLi and other OWASP issues
- Compatible with popular apps built on WordPress, Drupal and Joomla
- Detailed report accepted by various compliance organizations
- Low false positives and special WordPress checks
Acunetix’s online yearly subscription starts at $2000, which includes three websites and servers. It can be really cost-friendly for bigger organizations with Enterprise model costing at $18000 for 50 websites and servers.
5 Rapid 7
At the bottom of the list, we have a slightly lesser known OWASP scanning solution that is offers 30-days of free trial to test your website for SQL injection, XSS, CSRF, and many other vulnerabilities. With an attack testing library of over 90, Rapid 7 is definitely one of the most efficient testing products in the market.
- Dynamic Application Security Testing (DAST) to look for complex internal and external issues within the website apps
- 3-step process to set up website and start scanning for weaknesses
- Interactive HTML reports with details of scanning to be shared with stakeholders
Rapid 7 does not disclose product pricing on the website and the wide range of product and weird naming structure makes it difficult to keep a track on what is what. Still, we encourage you to try it out and schedule a call for pricing.
Do you have any other tools on mind? Please leave a comment below or contact us for inclusion.