An empirical comparison of commercial and open‐source web vulnerability scanners
Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability d...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
2020
|
| Subjects: | |
| Online Access: | https://eprints.nottingham.ac.uk/61145/ |
| _version_ | 1848799844540350464 |
|---|---|
| author | Amankwah, Richard Chen, Jinfu Kudjo, Patrick Kwaku Towey, Dave |
| author_facet | Amankwah, Richard Chen, Jinfu Kudjo, Patrick Kwaku Towey, Dave |
| author_sort | Amankwah, Richard |
| building | Nottingham Research Data Repository |
| collection | Online Access |
| description | Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open-source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open-source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false-positives. |
| first_indexed | 2025-11-14T20:42:07Z |
| format | Article |
| id | nottingham-61145 |
| institution | University of Nottingham Malaysia Campus |
| institution_category | Local University |
| language | English |
| last_indexed | 2025-11-14T20:42:07Z |
| publishDate | 2020 |
| recordtype | eprints |
| repository_type | Digital Repository |
| spelling | nottingham-611452020-07-21T06:33:07Z https://eprints.nottingham.ac.uk/61145/ An empirical comparison of commercial and open‐source web vulnerability scanners Amankwah, Richard Chen, Jinfu Kudjo, Patrick Kwaku Towey, Dave Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open-source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open-source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false-positives. 2020-07-03 Article PeerReviewed application/pdf en cc_by https://eprints.nottingham.ac.uk/61145/9/Dave.pdf Amankwah, Richard, Chen, Jinfu, Kudjo, Patrick Kwaku and Towey, Dave (2020) An empirical comparison of commercial and open‐source web vulnerability scanners. Software: Practice and Experience . ISSN 0038-0644 commercial scanners; detection capability; open-source scanners; software vulnerability; vulnerable web application http://dx.doi.org/10.1002/spe.2870 doi:10.1002/spe.2870 doi:10.1002/spe.2870 |
| spellingShingle | commercial scanners; detection capability; open-source scanners; software vulnerability; vulnerable web application Amankwah, Richard Chen, Jinfu Kudjo, Patrick Kwaku Towey, Dave An empirical comparison of commercial and open‐source web vulnerability scanners |
| title | An empirical comparison of commercial and open‐source web vulnerability scanners |
| title_full | An empirical comparison of commercial and open‐source web vulnerability scanners |
| title_fullStr | An empirical comparison of commercial and open‐source web vulnerability scanners |
| title_full_unstemmed | An empirical comparison of commercial and open‐source web vulnerability scanners |
| title_short | An empirical comparison of commercial and open‐source web vulnerability scanners |
| title_sort | empirical comparison of commercial and open‐source web vulnerability scanners |
| topic | commercial scanners; detection capability; open-source scanners; software vulnerability; vulnerable web application |
| url | https://eprints.nottingham.ac.uk/61145/ https://eprints.nottingham.ac.uk/61145/ https://eprints.nottingham.ac.uk/61145/ |