Whether you’re looking to broaden your application security toolkit, or you’re looking for a Qualys alternative, or other tools like Netsparker, here is why you should be giving Acunetix a try.
Qualys, like Tenable Nessus and Rapid7 Nexpose, is one of the oldest and most widely used cloud-based network vulnerability scanners around. Qualys has been the go-to SaaS network security scanner for a long time, and since then, also includes Web Application Scanning, or WAS (formerly known as QualysGuard WAS) amongst its product range – so why consider another tool at all?
Unlike Qualys, Acunetix, was built from day one with a razor-sharp focus on web application security. So while Qualys strengths lie in detecting network layer vulnerabilities and helping teams manage patching cycles and policy compliance across their IT systems, its focus domain is not web application security.
Acunetix, on the other hand, was designed specifically to combat the web application security threat from day one. Web application vulnerabilities detected by Acunetix include SQL Injection, Cross-site Scripting (XSS), and Local File Inclusion (LFI). These vulnerabilities, are exploitable purely over HTTP. This means that the vast majority of network infrastructure controls such as firewalls and network segmentation are not usually sufficient at mitigating web application vulnerabilities. This is because the issues reside in the application code or server misconfiguration and cannot simply be “patched”.
Acunetix has a relentless focus on delivering high quality results, which means not wasting your time with false positives or failing to find trivial vulnerabilities. With Acunetix, different teams can setup scheduled scans to discover thousands of web application vulnerabilities and misconfigurations. These scans may also be scoped to only test for a specific subset of vulnerabilities or even to exclude certain paths within a web application. Furthermore, with built-in vulnerability management and the ability to export findings to issue trackers like GitHub, GitLab, Jira, and TFS, teams can manage the entire vulnerability assessment cycle from a single interface, including retesting and closing a vulnerability after a suitable fix is verified.
Project stakeholders, management and GRC (governance, risk, and compliance) teams can also gain immediate visibility on the remediation process and generate a variety of reports to suit their needs. Acunetix offers everything from technical reports to PCI DSS, OWASP Top 10, HIPAA, and ISO 27001 amongst others, making it quick and easy to hand over the same results to different regulatory regimes without being a domain expert.
Leading Technology Coverage Without False Positives
While Qualys WAS can test for low-hanging web application vulnerabilities and detect TLS/SSL misconfigurations, Acunetix goes way beyond that. Thanks to its AcuMonitor and DeepScan technology, Acunetix can detect advanced security vulnerabilities such as DOM-based Cross-site Scripting (DOM XSS), Blind Cross-site Scripting (Blind XSS), Out-of-band SQL injection (OOB SQLi), and Out-of-band Remote Code Execution (OOB RCE). Acunetix achieves this whilst also being blazing fast but accurate, saving you and your team hours of sifting through an onslaught of false positives.
Acunetix DeepScan technology incorporates a browser engine within its crawler, allowing it to deliver best-in-class JavaScript support, including ECMAScript 6 (ES6) support. This means that Acunetix supports single-page applications (SPAs) and understands and fully tests applications that heavily rely on JavaScript frameworks like React, Angular, Ember, and Vue. This means that you can use Acunetix to scan everything from your legacy web apps to modern web apps taking advantage of all the latest and greatest technologies.
Unlike Qualys, in addition to dynamic, black-box scanning (DAST), Acunetix can run gray-box (IAST) scans thanks to AcuSensor. AcuSensor is a sensor that can be installed on the server side for Java, ASP.NET, and PHP web applications. AcuSensor brings together the best of dynamic testing by relaying feedback from sensors within the source code back to Acunetix while it is in execution. This method of testing allows Acunetix to even further reduce false positives in addition to being able to find vulnerabilities that would otherwise be impossible to detect in a black-box scan.
Integrate with Anything
Integrations are an important consideration in modern security tools. Acunetix not only comes built-in with several third-party integrations, but using its idiomatic RESTful API, you can even customize integrations to fit your custom workflows and business requirements.
Acunetix integrates with with third-party penetration testing software like PortSwigger Burp Suite, it can export results to a variety of web application firewalls (WAFs) for instant virtual patching, it allows you to manage vulnerabilities using external issue trackers such as GitLab, GitHub, Jira, Bugzilla, Mantis, and Microsoft TFS, and it even allows you to orchestrate scans through Jenkins quickly and easily.
Recommended reading
Learn more about prominent vulnerabilities, keep up with recent product updates, and catch the latest news from Acunetix.
“We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.”
Kurt Zanzi, Xerox CA-MMIS Information Securtiy Office, Xerox