An empirical comparison of commercial and open‐source web vulnerability scanners
Copyright policy )An empirical comparison of commercial and open‐source web vulnerability scanners
SummaryWeb vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open‐source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open‐source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open‐source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false‐positives.
- Jiangsu University China (People's Republic of)
- Communication University of China China (People's Republic of)
- University of Professional Studies Ghana
- University of Nottingham Ningbo China China (People's Republic of)
FOS: Computer and information sciences, Artificial intelligence, False positive paradox, Web Application Security and Vulnerability Detection, Detection and Prevention of Phishing Attacks, Security Testing, Vulnerability management, IBM, Vulnerability (computing), Characterization and Detection of Android Malware, Computer security, Web application security, Psychology, Nanotechnology, Source code, Web development, Psychological resilience, FOS: Nanotechnology, Information security, Geography, Web service, Malicious Code Detection, Open source, Software security assurance, Computer science, Materials science, World Wide Web, FOS: Psychology, Operating system, Spam Detection, Vulnerability assessment, Security service, Computer Science, Physical Sciences, Signal Processing, Vulnerability Detection, Psychotherapist, Security Analysis, Web application, Benchmark (surveying), Software, Geodesy, Information Systems, Application security
FOS: Computer and information sciences, Artificial intelligence, False positive paradox, Web Application Security and Vulnerability Detection, Detection and Prevention of Phishing Attacks, Security Testing, Vulnerability management, IBM, Vulnerability (computing), Characterization and Detection of Android Malware, Computer security, Web application security, Psychology, Nanotechnology, Source code, Web development, Psychological resilience, FOS: Nanotechnology, Information security, Geography, Web service, Malicious Code Detection, Open source, Software security assurance, Computer science, Materials science, World Wide Web, FOS: Psychology, Operating system, Spam Detection, Vulnerability assessment, Security service, Computer Science, Physical Sciences, Signal Processing, Vulnerability Detection, Psychotherapist, Security Analysis, Web application, Benchmark (surveying), Software, Geodesy, Information Systems, Application security
selected citations These citations are derived from selected sources.This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).33 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Top 10% influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Top 10% impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Top 10%
Citations provided by BIP!Popularity provided by BIP!