This is a personal Checklist for deciding on a scanner(Enterprise versions) based on usability of the tool. This list would not cover technical or performance capabilities of the tool as those are listed across the internet.
For an Enterprise version you should not worry too much about detection rates as they are usually similar and a good web application security tester can cover for any variation across those rates. Most companies usually would have more than one security tester. From a management prospective it is imperative to check with a tool can provide efficient bug tracking and customisable metrics. These are mostly the pain areas for testers and management alike.
Please beware that most tools would advertise that they offer bug tracking as well but it is very important to actually check how efficient that is. Example, incomplete scans or scans which need to be terminated before it completes is sad reality of Web application scanning. Can the tool manage bug tracking with incomplete scans?
In my experience I have not seen many of the listed issues being talked about when deciding about a scanner which can make a tester's life miserable and delay or slow down the whole scanning process.
Most Importantly one should first determine the purpose of buying an enterprise version of these scanners.
For an Enterprise version you should not worry too much about detection rates as they are usually similar and a good web application security tester can cover for any variation across those rates. Most companies usually would have more than one security tester. From a management prospective it is imperative to check with a tool can provide efficient bug tracking and customisable metrics. These are mostly the pain areas for testers and management alike.
Please beware that most tools would advertise that they offer bug tracking as well but it is very important to actually check how efficient that is. Example, incomplete scans or scans which need to be terminated before it completes is sad reality of Web application scanning. Can the tool manage bug tracking with incomplete scans?
In my experience I have not seen many of the listed issues being talked about when deciding about a scanner which can make a tester's life miserable and delay or slow down the whole scanning process.
Most Importantly one should first determine the purpose of buying an enterprise version of these scanners.
- Usability - Ease of use
- Is the interface user friendly or awfully complex?
- Interface slow to work with?
- Do big scans take forever to load and mostly load incompletely in web browser?
- After what scan size the tool starts to suffer in usability performance?
- Bug Tracking- One of the key feature to look at when buying an enterprise version of scanners is to look at bug tracking. This for me would be one of the biggest factors.
- Can handle complete scans?
- Can handle incomplete or stopped scans? Can track these end to end?Possible to manually change state of issues in bug tracker.
- Can it connect with tools like Jira.
- Does the bug tracking break with incomplete scans?
- Does it offer both automated and manual issue resolution options.
- Does it have more than one interface for different things? That would add to complexity to overall process.
- Is the interface user friendly or awfully complex?
- Interface slow to work with?
- Do big scans take forever to load and mostly load incompletely in web browser?
- After what scan size the tool starts to suffer in usability performance?
- Can handle complete scans?
- Can handle incomplete or stopped scans? Can track these end to end?Possible to manually change state of issues in bug tracker.
- Can it connect with tools like Jira.
- Does the bug tracking break with incomplete scans?
- Does it offer both automated and manual issue resolution options.
- Does it have more than one interface for different things? That would add to complexity to overall process.
- Scanning and Crawling Capabilities
- Manual crawl part of Scan or crawl data to be uploaded separately?
- Limit on size of crawl data, macro?
- Scan site be manually crawled after scan is initiated?
- Able to set coverage of scan?
- Able to set tests in scan or only allowed to set test categories?
- allowed to save form data for repeated use?
- Manual crawl part of Scan or crawl data to be uploaded separately?
- Limit on size of crawl data, macro?
- Scan site be manually crawled after scan is initiated?
- Able to set coverage of scan?
- Able to set tests in scan or only allowed to set test categories?
- allowed to save form data for repeated use?
- Authentication
- Login data part of scan or to be uploaded separately?
- What are the various options for recording login?
- Can it handle basic authentication?
- Which parameter or condition is checked to see if application is in-session or logged out?
- Login data part of scan or to be uploaded separately?
- What are the various options for recording login?
- Can it handle basic authentication?
- Which parameter or condition is checked to see if application is in-session or logged out?
- Reporting
- How easy is it pull report for a single scan?
- Can to tool correlate with previous scans of same application?
- Can the tool be pause to pull interim reports?
- Can it run consolidated reports on multiple scans of a website.
- What are the various report formats?
- Can you see full request and relevant response in report?
- Does tool highlight and link the pattern in response which triggered the vulnerability?
- Do the reports provide easy navigation?Links?Table of content?
- How easy is it pull report for a single scan?
- Can to tool correlate with previous scans of same application?
- Can the tool be pause to pull interim reports?
- Can it run consolidated reports on multiple scans of a website.
- What are the various report formats?
- Can you see full request and relevant response in report?
- Does tool highlight and link the pattern in response which triggered the vulnerability?
- Do the reports provide easy navigation?Links?Table of content?
- Licenses and use
- Floating licenses
- how many concurrent scans per license?
- How many Applications can be added in reporting server?
- Platform dependencies:
- Is it a windows centric tool or Linux or IOS?
- Compatible browsers?
- Any add-ons required for full functioning?
- Prerequisites to be installed? eg. .net version x.x
- Integration testing
- Does it have a proxy feature or can it be used to intercept web traffic to gather crawl data?
- Can burp traffic be uploaded for scanning. Limits on uploading traffic?
- Changing status
- Ability to mark issues as False positive
- Ability to mark issues as resolved without new scan. Manual input in bug tracking
- Floating licenses
- how many concurrent scans per license?
- How many Applications can be added in reporting server?
- Is it a windows centric tool or Linux or IOS?
- Compatible browsers?
- Any add-ons required for full functioning?
- Prerequisites to be installed? eg. .net version x.x
- Does it have a proxy feature or can it be used to intercept web traffic to gather crawl data?
- Can burp traffic be uploaded for scanning. Limits on uploading traffic?
- Ability to mark issues as False positive
- Ability to mark issues as resolved without new scan. Manual input in bug tracking
No comments:
Post a Comment