The latest independent web application security scanners benchmark results have been published. How did VulnSign fare when compared to the other web vulnerability scanners? In short, VulnSign was:
  • The only scanner that identified all the vulnerabilities
  • One of the only three scanners that reported zero false positives
None of the other web vulnerability scanners in the comparison, including the open source ones, performed as well as VulnSign. For more detailed information about these comparisons, including results of the vulnerability detection rates, read on. This post also explains how the vulnerability scanner tests were conducted and displays the results of each individual test.

What is the Web Application Security Scanner (DAST) Benchmark?

It is a test that compares the features, coverage, vulnerability detection rate and accuracy of automated web application security scanners, also known as web vulnerability scanners or Dynamic Application Security Testing (DAST) solutions.

The Benchmark Results – Global Results

This matrix lists what percentage of all vulnerabilities each web application security scanner identified. Missing data or scores are represented with ‘N/A’.
VulnSign Netsparker WebInspect AppSpider Burp Suite AppScan
OS Command Injection 100 99.24 N/A 99.11 93.3 N/A
Remote File Inclusion/SSRF 100 100 100 82.67 74.67 N/A
Path Traversal 100 98.63 91.18 81.61 78.31 100
SQL Injection 100 100 98.46 95.39 97 100
Reflective XSS 100 100 100 100 97 100
Unvalidated Redirect 100 100 95.51 100 76.67 36.67
Average % 100.0 98.9 97.0 93.1 86.2 84.2
This matrix lists what percentages of all false positives each web application security scanner identified.
VulnSign Netsparker AppSpider WebInspect AppScan Burp Suite
OS Command Injection 0 0 0 0 0 0
Remote File Inclusion/SSRF 0 0 0 0 0 16.67
Path Traversal 0 0 0 0 0 12.5
SQL Injection 0 0 0 0 0 0
Reflective XSS 0 0 0 0 0 0
Unvalidated Redirect 0 0 0 11 11 0
Total % 0.0 0.0 0.0 1.8 1.8 4.9