7 Free Cloud Application Vulnerability Scanning Tools

Securing cloud applications is important. While most online businesses understand that, often they overlook how cloud service providers misguide them.

Well, we are not pointing fingers, but do you think that AWS or IBM actually secures your application? They do not. And do not take our word for it. Please read the Shared Responsibility Model from AWS and Cloud Computing Security Model by IBM– you will realise that expect the customers to keep website and web applications safe.

The scanning and patching of web application vulnerabilities fall under your responsibility. Now, given that 70% of all attacks occur at the applicationlayer, periodic and frequent scanning becomes critical. Although there are plenty of vendors in the market, we have researched, tested and compiled a list of top free, freemium and free trial programs that will help you kickstart web application vulnerability scanning.

1 Qualys

Qualys is one of the most popular web application security companies in the Americas and their FreeScan can accurately scan your web assets to ensure detecting all the risks. This cloud scanner works effectively from a browser and provides detailed reports on common vulnerabilities such as SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, and more.

  • Scans internet-facing networks, apps, desktops for security vulnerabilities that hackers could exploit
  • Detects common issues like SQLi, XSS, CSRF and Injection
  • Interactive scan reports with vulnerability count, severity, and associated risks
  • Suggestion on ways of patching and mitigating the vulnerability without investing in expensive tools
  • OWASP detection available
  • Manual scan initiation
  • Offers malware detection
  • SCAP security benchmarks for computing systems

The free scan from Qualys is to 10 unique security scans of Internet accessible assets but if you are satisfied with the product, the company has a lot more to offer in paid programs including vulnerability management, web application firewall, DDoS mitigation and more.

Our Rating: 8/10

2 Scan My Server

When it comes to free tools, Scan My Server is one of the best options out there. Developed by Beyond Security, this tool offers easy testing of vulnerabilities on any website or blog. Simply enter the URL of your property and start looking for malware and common OWASP issues including SQL injection, XSS and CSRF. Like Qualy’s tool, this one is also in the cloud and doesn’t require any download or installation.

  • 3-step scanning for any web application, website or blog
  • No download or installation required
  • No lag for the visitors even when scanning is active and looking for vulnerabilities
  • Detailed security reports with points on vulnerability, its location and how to mitigate it
  • No password access required

Scan My Server has become a trusted provider of security testing tools for networks, software and web applications over the last few years but if you are looking to upgrade their services and seek better detection or protection, Beyond Security has a myriad of Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). Also, their penetration testing services is said to be one of the best in the industry.

Our Rating: 7/10

3 Sucuri

Sucuri SiteCheck is another free cloud vulnerability scanner that looks for OWASP issues and malware on your site. It is trusted by online companies for finding known malware, blacklisting status, website errors, and out-of-date software.

  • OWASP vulnerability detection
  • Website malware scanning
  • Easy WordPress plugins

For nominal $16 per month you can also upgrade the Sucuri plan to also cover Malware cleanup, DDoS protection, backlist removal, security monitoring, and Google warning removal.

Our Rating: 8.5/10

4 Web Inspector

Comodo, the leading SSL provider, has launched Web Inspector for free website scans that detect OWASP issues and malware. You simply need to provide the website URL and push the scan button to get started. However, the free plan only includes scan for up to 50 pages. Beyond that you will have to opt for paid plans.

  • OWASP and malware reporting
  • Free scan tests up to 50 pages
  • Cyber Security Operations Center (CSOC) promises to fix website for free
  • Blacklist detection available on request

Again, if you want premium services Comodo has plenty of options including a web application firewall.

Our Rating: 7/10

5 Acunetix

Acunetix offers an online vulnerability scanner under its 14-day free trial program. If you are looking to test a cloud app scanner trusted by global companies, this one is a good choice. Like others on the list, it also looks for OWASP Top 10 and includes network features too.

Our Rating: 8/10

6 UpGuard

Upguard is offering free risk assessment results on a score basis. The scans include various security checks based on common attacks vectors including man-in-the-middle, cross-site, and fraudulent emails. While the product is still in beta phase, you should try it out.

  • Multi-level security checks
  • Tests SSL, Clickjack attack, Cookie, DNSSEC, and Headers
  • Online portal for results
  • Demo available

Our Rating: 8.5/10

7 Tinfoil

Tinfoil promises faster security scans in the cloud that can be pushed directly into your developer’s workflow. With seamless integration in AWS infrastructure and API integration, it is one of the best tools on the list.

  • Simple setup to scan in cloud
  • API integration
  • Online reports

Tinfoil has a complete suite of security products for companies of all sizes.

Our Rating: 8.5/10

Bonus: If you have just moved to cloud or planning to do so, a cloud risk assessment can help you get a security overview that’s not limited to web applications. RedLock offers free risk assessment across Amazon Web Services (AWS), Microsoft Azure, or Google Cloud to gauge:

  • Risky configs
  • Vulnerable hosts
  • Network intrusion
  • Insider threats
Have we missed any details? Do you have any other free tools for our readers? List them in the comments or send us a note.

Ishan Mathur

From stopping hackers to getting the fastest CDN, I'm helping big and small companies choose what's best for them by building a community here.

No, no, no. You’re not supposed to look here man!