The final entry in our Web application scanner Rolling Review easily makes our short list.

Jordan Wiens, Contributor

October 5, 2007

3 Min Read



FEATURED PRODUCT:  Acunetix Web Vulnerability Scanner,

PRICE:  $6,000, first year's maintenance included; thereafter $1,200 per year

ABOUT THIS ROLLING REVIEW:  We're testing Ajax-capable application scanners at our University of Florida Real-World Labs. We're assessing general reliability; advanced features; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false positives, as well as ease in manual adjustments or product updates to address them; prevalence of false negatives; and price. SaaS offerings also will be evaluated.

PAST REVIEWS:  Hewlett-Packard WebInspect, Cenzic Hailstorm, N-Stalker Web Application Security Scanner 2006 Enterprise Edition, and IBM Watchfire AppScan

How about Ajax? Our test apps using JavaScript to provide client-side functionality certainly caused trouble for many of the previous products reviewed, and unfortunately, WVS suffered the same fate. Indeed, when starting a new scan, the warning included on the configuration page, "Good candidates for manual browsing are sites which are heavily based on JavaScript navigation," certainly didn't bode well. And the caveat was accurate--WVS did require a manual crawl to identify most Ajax application functionality. While the argument could be made that scanners requiring a manual crawl for Ajax applications are still "Ajax-capable," much of the value of an automated scanner is that it's, well, automated.

Sadly, these are not even Ajax-specific vulnerabilities that are being missed by the applications, merely traditional vulnerabilities that are being missed only because navigating the application requires JavaScript. See our Rolling Review wrap-up (p. SS1) for more on the differences between these types of vulnerabilities and how the products missed them.

Of course, no product or application is without room to improve, no matter how often Steve Jobs may claim otherwise, and there are some places Acunetix could beef up WVS. For example, the report generator would benefit from reorganization--it's a bit awkward to navigate through and use, even requiring one of our pet peeves that was noted in the N-Stalker review: a right-click menu choice with no other equivalent mechanism to continue or visual cues as to the next step. Using an app shouldn't feel like a scavenger hunt. Fortunately, most of WVS doesn't suffer from these quirks.

Additionally, the included documentation could use some work. Both the application help file and the remediation steps included with discovered vulnerabilities lack the depth and specific examples of many other products. A few bells and whistles offered by others are absent in WVS, like the ability to submit false positives to Acunetix to update checks or the ability to exclude particular results from a report. You could rerun the scan without those checks enabled, but that's not a good solution, nor does it cover times when only some findings of a check are in error.

Still, those items are for the most part nitpicks. The worst thing we can say about WVS is that it never feels like the top product in any given feature or function. Of course, as far as "worst things" go, that's pretty tame. The product is reasonably priced, at $6,000 with the first year's maintenance included, and is close to the top in every respect. Given WVS's solid implementation, even without some bells and whistles, it's an attractive option and well worth including on your short list.

InformationWeek Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings. See our kickoff to this Ajax-capable application scanner review as well as additional series at

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights