An interesting report has been released that takes a sample of web application security testing applications and puts them up against each other.
The most notably thing is how much the results vary, and how many vulnerabilities most scanners miss. Clearly using more than one scanner is necessary to be able to compare the results, and nothing can beat testing by skilled security professionals.
NTOSpider by NT Objectives came out in the lead with the best overall score of the application scanners tested (which included Acunetix, Appscan, Burp Suite Pro, Hailstorm, WebInspect, and NTOSpider). He also measured things like how long the various scanners take to configure, support and so on – all important things for companies about to make the big investment. This isn’t all scanners everywhere (notably WhiteHat is missing as is the newest player to the field, NetSparker who incidentally took it upon themselves to add themselves into the report after the fact, and other free web assessment tools, like Nikto etc…), but it’s a great start to a long future of heavily debated research, I’m sure. Love him, or hate him, Larry’s always got interesting research to share!
I guess now would be a good time to point out that even if you cough up the money for a commercial scanner or perhaps an online scanning service such as Qualys or ControlScan getting a second opinion from a service such as ours here at HackerTarget.com is an excellent way to get a second option.