Whitepaper Web Application Vulnerability Scanners - a Benchmark Web Application Vulnerability Scanners - a Benchmark
Andreas Wiegenstein, Frederik Weidemann, Dr. Markus Schumacher, Sebastian Schinzel Version 1.0 - 2006-10-04
Overview Watching the history of security defects in applications for the last decades, it seems that all software has hidden and unexpected security defects – a really critical issue, especially for Web applications
One possible way to deal with such nasty defects is to use so called Web application vulnerability scanners.
The idea behind these scanners is to conduct security checks automatically and to produce a report describing the bugs in a application. Many companies rely on this approach. This whitepaper focuses on black box vulnerability scanners for Web applications and their capability to find application security defects.
Out of scope are scanners that analyze the underlying OS, Web servers or databases for specific, known vulnerabilities in order to determine if they have been patched correctly, as well as code analysis tools.
We wanted to see how efficient a scanner is in finding typical types of vulnerabilities in applications, using their detection algorithm instead of a database with known vulnerabilities of specific products.
If you ever asked yourself: "How secure is my application after I used a black box scanner and fixed all the bugs that have been reported?", this is the ...