An empirical comparison of commercial and open‐source web vulnerability scanners. (3rd July 2020)
- Record Type:
- Journal Article
- Title:
- An empirical comparison of commercial and open‐source web vulnerability scanners. (3rd July 2020)
- Main Title:
- An empirical comparison of commercial and open‐source web vulnerability scanners
- Authors:
- Amankwah, Richard
Chen, Jinfu
Kudjo, Patrick Kwaku
Towey, Dave - Abstract:
- Summary: Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open‐source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open‐source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open‐source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false‐positives.
- Is Part Of:
- Software, practice & experience. Volume 50:Number 9(2020)
- Journal:
- Software, practice & experience
- Issue:
- Volume 50:Number 9(2020)
- Issue Display:
- Volume 50, Issue 9 (2020)
- Year:
- 2020
- Volume:
- 50
- Issue:
- 9
- Issue Sort Value:
- 2020-0050-0009-0000
- Page Start:
- 1842
- Page End:
- 1857
- Publication Date:
- 2020-07-03
- Subjects:
- commercial scanners -- detection capability -- open‐source scanners -- software vulnerability -- vulnerable web application
Computer software -- Periodicals
Computer programming -- Periodicals
Computer programs -- Periodicals
005.3 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/spe.2870 ↗
- Languages:
- English
- ISSNs:
- 0038-0644
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 8321.453000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 24578.xml