­
How to benchmark a web application security scanner? - All Articles - CISO Platform

All Articles

How to benchmark a web application security scanner?

Posted by 23j0c848tmyvu on February 19, 2016 at 10:00pm

There is a plethora of web application scanner ; every one of which claims to be better than the other. It is indeed a challenge to differentiate between them. We need to benchmark the application scanner against hard facts and not marketing claims. Below are some of the most critical metrics against which you would like to benchmark web application scanner.

1. What is the rate of false positives?

False Positives are vulnerabilities reported by a tool that don’t actually exist.  Any web application scanner will throw some false positives.  First we need to understand how false positives are harmful. Even though  they don’t apparently seem to be harmful; it costs money to remove them. Imagine a little bit of sand in your food. You can’t eat that food; similarly you can’t send a report with false positives to developers.

Removing false positives from web application scanner reports takes a lot of time. Hence it adds to your man-power cost and of course the drudgery of doing boring work. I have seen so many organization losing people because the work becomes monotonous.

So, you need to check the percentage of false positives reported by the web application scanner. The flip side however is that a web application scanner can minimize its percentage of false positives by limiting its coverage which leads to the next question.

( Read More: Identity & Access Management (Workshop Presentation) )

2. How many classes (or percentage) of vulnerabilities does it cover?

False negatives or vulnerabilities missed out is another critical element. You need to understand the percentage coverage of the web application scanner to ensure that critical vulnerabilities are not missed (particularly at the expense of not having to report false positives). You can use WASC 1, WASC 2 or OWASP as a guideline for what should be covered.

3. Which are the classes web application scanner does not cover?

If a web application scanner does not cover certain classes of test (which is always the case), you should know: which are those classes? How important are the classes of test for your business? Can you live without them?

4. How good is the coverage of the crawler? Is there any benchmark?

Crawlers are the fundamental part of any web application scanner. The first step of any testing is crawling. If a page is not crawled then it is not tested. You can benchmark different web application scanner against the number or the percentage of the pages it could crawl. Fast scanning does not mean good scanning. You need a web application scanner which can comprehensively crawl all the pages.

5. How many scans can run in parallel?

Most organizations today have multiple web applications which need to be tested frequently.  You need aweb application scanner which can scan multiple tests in parallel. Don’t go by the number stated on the product datasheet but how many it can actually run in parallel without significant degradation of performance. So the best thing is to try it and check this out yourself.

( Read More: CISO Platform Top IT Security Influencers (Part 1) )

6. How Flexible are the configuration options of the tool?

Does the tool give you the ability to fine tune what test classes it scans for and let you test your production environment safely? Options that allow you to prevent things like automatic form filling, or limiting the number of concurrent threads etc. can prevent unnecessary disruption to your organization when testing your production environment with a tool.

Few more suggestions by readers and community members

Credits:Simon Bennetts, James McGovern, Keighley Peters

  • How long does it take to run? (Quicker means it could be less comprehensive test. Check for number of tests/hour etc)
  • How long does it take to learn and configure to work effectively?
  • How much does it cost?
  • What are the licensing terms?
  • How many organizations use the tool? How satisfied are they?
  • Are there any industry recognition/analysts mentions (e.g. Gartner)?

The selection of appropriate scanner can be very challenging as every organization has developed their applications differently. By considering the metrics discussed above, organizations can benchmark their application scanner to evaluate the effectiveness of a scanner and make a right choice for their organization.

More:  Have you nominated yourself for CISO Platform 100 ,2016 ? Click here to nominate

 

Views: 157
Tags: Appsec, Scanner, WebApplicationSecurity, WebApplicationSecurityScanner
Votes: 0
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am UTC+5.5
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

CISO MeetUp: Executive Cocktail Reception @ Black Hat USA , Las Vegas 2025

Aug 4, 2025 from 6:00pm to 10:30pm PDT
Topgolf Las Vegas
  • Description:

    We are excited to invite you to the CISO MeetUp: Executive Cocktail Reception if you are there at the Black Hat Conference USA, Las Vegas 2025. This event is organized by EC-Council & FireCompass with CISOPlatform as proud community partner. 

    This evening is designed for Director-level and above cybersecurity professionals to connect, collaborate, and unwind in a relaxed setting. Enjoy…

  • Created by: Biswajit Banerjee
  • Tags: black hat 2025, ciso meetup, cocktail reception, usa events, cybersecurity events, ciso

6 City Playbook Round Table Series (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Sep 1, 2025 at 5:00pm to Oct 31, 2025 at 8:00pm UTC+5.5
India
  • Description:

    Join us for an exclusive 6-city roundtable series across Delhi, Mumbai, Bangalore, Pune, Chennai, and Kolkata. Curated for top cybersecurity leaders, this series will spotlight proven strategies, real-world insights, and impactful playbooks from the industry’s best.

    Network with peers, exchange ideas, and contribute to shaping the Top 100 Security Playbooks of the year.

    Date : Sept 2025 - Oct 2025

    Venue: Delhi, Mumbai, Bangalore, Pune,…

  • Created by: Biswajit Banerjee

National Insider Risk Symposium, Washington DC, USA 2025

Sep 17, 2025 to Sep 18, 2025
Washington DC, USA
  • Description:

    We are excited to invite you to the 10th National Insider Risk Symposium, a premier forum bringing together leaders and experts from both the commercial and public sectors to address the evolving landscape of insider threats. CISOPlatform is a proud community partner for this event. 

    Event Details:
    Venue: National Housing Center, 1201 15th St NW, Washington, D.C. 20005
    Dates: September 17–18,…

  • Created by: Biswajit Banerjee
  • Tags: national insider risk symposium, ciso, cybersecurity events, usa events