How to Choose the Right Web Vulnerability Scanner

Written by

Cyber-attacks and breaches are now in the headlines every day. Attacks can come from anywhere, at any time, against companies of any size. According to a global study by PwC, the volume of cyber-attacks grew by 48% in 2014.

Everything about the way we work, play, shop, and communicate nowadays is online. Saving time, money and other resources is therefore a must. That’s why it is crucial to be forewarned and protected against threats before they occur. This is one of the hardest challenges for companies.

When deploying a web vulnerability scanner (WVS), most users take into account the price, and most providers take into consideration the features. Since the average cost of an incident for SMEs is $100,000–$183,000 (CSIS 2014), the price has to be considered an investment.

Select the WVS that detects most vulnerabilities and has a good price while considering the following elements:

A price adapted to the size and type of your website – The major criterion, especially for SMEs, is to have packages which meet your needs whatever your company, activity and size: R&D, certified seal, monitoring, personalized packages depending on your web application typology, monthly payment without commitment.

If your website has less than 100 pages you will not pay the same amount as a large e-commerce website, for example.

The way it works; the availability of your websites – The solution should analyze the behavior of your website to quickly simulate thousands of malicious code injections. It must have a profiling and machine-learning system and perform a full parse of all of your website’s pages.

But remember, these criteria should not affect the availability of your website by not occupying its bandwidth.

Security coverage: websites, servers, web apps, cloud and used technologies – Your WVS should detect at a minimum the top 10 OWASP vulnerabilities of all your information system types, and also zero-days.

Simplicity, efficiency – The solution must match the technical level of all users, whatever their technical competencies: CEO, CIO, webmaster, technical manager. It needs the following capabilities:

  • Availability: without download nor installation
  • Simplicity: clear corrective measures
  • Automation: personalized and schedulable scan frequency

The monitoring system must offer real-time SMS and email alerts, allowing immediate corrections when anomalies and vulnerabilities are detected.

The security seal must be recognizable by users and updated in real time after each new scan.

Reporting system – If you cannot see what is wrong, then you do not know what to remediate. Choose a solution with a zero false positive guarantee. Finally, the reports must include security compliances (ISO, PCI-DS etc.).

Cybersecurity is like a backup; when we need it, it is already too late. Invest in a WVS before falling victim. The most cyber-aware companies are always on the right track with the right tools to be protected from all uptick flaws and cyber-attacks.

What’s hot on Infosecurity Magazine?