If you’re choosing a web application vulnerability scanner for the first time or struggling to get the most out of the Nessus web application plugin, here’s why you should be considering Acunetix.
Tenable Nessus is one of the oldest and most widely used network scanners around. The once open-source network scanner is one of the go-to network security scanners for many penetration testers – so why bother looking at other tools at all? Nessus, unlike Acunetix, is a scanner focused on detecting network-layer vulnerabilities. Nessus is perfectly suited towards detecting network vulnerabilities, open ports, and helping with patch management by detecting un-patched versions of Unix, Linux, and Microsoft Windows and other host-based vulnerabilities. However, it was not originally designed for website and web application vulnerability scanning.
On the flip-side, Acunetix was, from day one, built specifically to scan websites and web applications for vulnerabilities. Such examples of vulnerabilities detected by Acunetix include SQL Injection, Cross-site Scripting (XSS) and Local File Inclusion (LFI). These vulnerabilities, unlike the ones commonly detected by Nessus, are exploitable purely over HTTP. This means that most traditional network infrastructure controls such as firewalls and network segmentation are not typically sufficient at mitigating web application vulnerabilities.
Keen observers may note that Nessus does include some web application testing functionality. While these tests are a good first step at catching any glaring low-hanging fruit, they are not nearly as detailed, rigorous, or configurable as automated web application tests carried out by Acunetix. On the other hand, Acunetix is fully integrated with the open-source OpenVAS network security scanner, which is an offshoot of once open-source Nessus.
Acunetix is especially ideal if you’re looking for a Nessus alternative with a specific focus on web security vulnerability assessment. Like Nessus, Acunetix is easy to install and has a simple user interface accessible through a regular web browser. It’s also simple to keep up to date and can easily be accessed from any browser at any time.
Industry-Leading Technology Coverage
Acunetix has a relentless focus on delivering the signal from the noise, and as such, does not waste your time with false positives. Moreover, it can detect advanced security vulnerabilities such as Blind Cross-site Scripting (Blind XSS) and Out-of-band SQL injection (OOB SQLi), whilst also being blazing fast thanks to its SmartScan and DeepScan technologies.
With Acunetix, information security teams can set up scheduled automated penetration testing scans, to discover thousands of web application vulnerabilities and misconfigurations. They can then quickly and easily generate reports highlighting what actions need to be taken in order to improve their security posture.
While the Nessus web application scanner will likely be able to crawl and scan some of your legacy technologies, Acunetix takes technology support to another level entirely. The Acunetix DeepScan incorporates a real “headless” browser within its crawler, allowing it to deliver top-notch JavaScript support, including ECMAScript 6 (ES6) support.
This means that unlike Nessus, Acunetix can fully support modern single-page applications (SPAs) and can understand and fully test applications that rely on JavaScript frameworks like React, Angular, Ember, and Vue. This allows Acunetix to scan everything from legacy web apps developed on traditional stacks, as well as modern web apps taking advantage of all the latest leading-edge technologies.
In addition to dynamic black-box scanning (DAST), Acunetix, unlike Nessus, allows you to conduct gray-box (IAST) scans thanks to AcuSensor. AcuSensor is a sensor that can be installed on the web server for Java, ASP.NET, and PHP web applications. This brings together the best of dynamic testing, together with feedback from sensors within the source code whilst it is in execution.
Speed Not at the Expense of Accuracy
With nearly any type of black-box scanning, there is generally a tradeoff between speed and accuracy. With a re-architected core and a highly optimized crawler, the Acunetix key feature is speed without sacrificing accuracy. This allows it to scan enormous web applications containing hundreds of thousands of pages quickly, without reporting a sea of false positives.
Integrations with third-party penetration testing software like PortSwigger Burp Suite and web application firewalls (WAFs) such as Imperva SecureSphere and F5 Big-IP ASM make it easy to import and export crucial data in formats that matter to getting vulnerabilities fixed.
Frequently asked questions
Nessus is one of the oldest network security scanners on the market. It was first created in 1988 as open-source software. In 2005 Tenable (co-founded by the Nessus author) decided to commercialize the project. Free Nessus was continued as GNessUs and then as OpenVAS. Nessus was never a web vulnerability scanner but it has limited web scanning functionality.
You should choose Acunetix if you are primarily concerned about web application security. Nessus is not a specialized web application security product and offers limited web security scanning capabilities.
Why should web security be more important than network security?
You should choose Nessus if you are primarily concerned about network security. Nessus has always focused on network security and is one of the best network security products on the market. If your focus is on web application security, choose a specialized solution like Acunetix instead.
Find out why we believe that a specialized solution is better.
Acunetix is fully integrated with OpenVAS, which is based on the same code foundation as Nessus. All network issues are displayed and managed along with web issues in the Acunetix interface. Therefore, while still focusing on web security, Acunetix can help you with network security, too.
Recommended reading
Learn more about prominent vulnerabilities, keep up with recent product updates, and catch the latest news from Acunetix.
“We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.”
Kurt Zanzi, Xerox CA-MMIS Information Securtiy Office, Xerox