Best Web Application Security Testing Tools and Scanners
To help you find the best web application security testing tools, IT Central Station ranked them based on hundreds of real user reviews, from our esteemed community of enterprise technology professionals. You'll find comparisons of pricing, performance, features, stability and many other criteria. Read below to find out what your peers have to say about web application security vendors such as Imperva, Checkmarx, Cloudflare, Fortinet and others.
The total ranking of a product, represented by the bar length, is based on a weighted aggregate score.
The score is calculated as follows: The product with the highest count in each area gets the highest available score.
(20 points for Reviews; 16 points for Views, Comparisons, and Followers.)
Every other product gets assigned points based on its total in proportion to the #1 product in
that area. For example, if a product has 80% of the number of reviews compared to the product
with the most reviews then the product's score for reviews would be 20% (weighting factor) *
80% = 16. For Average Rating, the maximum score is 32 points awarded linearly based on our
rating scale of 1-10. If a product has fewer than ten reviews, the point contribution
for Average Rating is reduced (one-third reduction in points for products with 5-9 reviews;
two-thirds reduction for products with fewer than five reviews). Reviews that are more than 24 months old,
as well as those written by resellers, are completely excluded from the ranking algorithm.
It has so many features. First of all, it has a full proxy architecture, it has multiple modules. The best feature is the WAF, the web application firewall module. It also has cashing type capabilities. It has all kinds of load-balancing... more»
It has multi-tenancy features, like hardware clustering. It has software partitioning so that you can partition F5. For example, in my recent deployments, I deployed F5 in a bank where they had two load balancers. One was Cisco Ace and the... more»
The room for improvement is that the product is a little costly. I live in the Third World, Pakistan. We have budget constraints, even in big enterprise servers. My team said that this product is too costly, and why don't we go with another... more»
The most valuable feature is the F5 LTM most organisations will be using most. It provides the core functionality to be able to load balance services and the means and the intelligence to be able to load balance based on advanced logic, e.g.,... more»
It has enabled us to keep a sustainable and supported load balancing platform. This is partly due to Cisco withdrawing a large number of their load balancing products and also related to Microsoft Network Load Balancing not scaling enough to... more»
I would like F5 to incorporate the ability to create your own custom roles and customised permissions within the product set. I have seen many customers wanting to give a certain level of access for the purposes of out-of-hours servicing to... more»
CloudFlare offers some of the most amazing features when it comes to optimizing websites & for its security for free, and all at the domain level. They were able to truly disrupt the market because prior to them, only enterprises had... more»
As mentioned, it helps me manage DNS records for more than 100 domains with ease. It helps in web page optimization & helps keep the website secure. If it was not for CloudFlare, I would have to hire a dedicated resource to manage all... more»
CloudFlare is an innovative company and certainly the thought leaders in their industry. They're constantly improving their product, releasing new features, partnering with various service providers to offer add-ons. Personally, I think... more»
iRule: It's a great feature that helped us multiple times have an advantage over competition Appliance Performance: One of the main advantages we always have over competition is in hardware performance, where the smallest F5 appliances compete with competitors’ medium to high-end appliances, while high-end devices can sit in the datacenter without risking... more»
* Reporting: One of the negative things about F5 is there is no place to generate a summary/executive/detailed report about everything happening on the box, especially for WAF & APM events. The only way to get some kind of report is enable the AVR module, and manually export the data required into PDF/XLS documents. * GUI interface: F5 appliances lack a... more»
* I like to see the security. On the site security, I can see which countries have incidents, whether it was a robot attack, a real human user, or non-human user. For this feature, I like it because I can see information quickly without going... more»
When I joined the company, one of our websites was hacked by malware (somebody put it on our website). The website went down for a long time. It took two weeks to clear the server and move everything: all the content, clean it, bring it up,... more»
I am not sure if this application has a policy where you can create your custom policy and run it as our firewall. We should have some ability to also create some custom policy, then run it as a firewall. Maybe it is not relevant, but I think... more»
Many features are buried under not-straight-forward options and, at times, hard to find screens. Very few import features have clearly defined format requirements. Agent installation for data usage/blocking activities on target boxes requires... more»
We like the capability to combine the content switching with the intrusion prevention and adding the security roles, so we can expose certain sub-pieces outside without exposing everything. Another feature that we like is how they integrate nicely with the Oracle PeopleSoft application, and since that's one of my main focuses, I really like that they have the... more»
I have been really happy with what they have been doing. They could improve the synchronization between their main site and the failover site. Sometimes, we run into issues where it does not sync well, so I would like to see that improved. The synchronization does works fairly well. However, if I were to make changes, I would make it easier to start the sync... more»
Incapsula: It has provided heightened visibility and awareness at management level on the actual threat landscape; it paves the way for easier approval for security-related implementations/projects. CloudFlare: It provides free SSL certs that... more»
Incapsula: * Allow easier scripting of firewall rules. * Enable more custom actions to trigger turning on/off Incapsula settings (current actions are quite limited). * Allow setting up of user groups to manage different groups of sites with... more»
These are some of the valuable features: * Free 15 year SSL certificates (I used to need to pay for these). * Spam protection to help prevent spam and unnecessary bot traffic. * Edge caching on a CDN. This is nice for WordPress sites. I can... more»
Once a domain's name servers have been pointed to CloudFlare, you never have to worry about DNS propagation. This would be the case, for example, if you wanted to point a domain to a different EC2/digital ocean instance.
In that sense, it's marketing that could use some improvement. It is hard to call your own product a "necessity", but I truly believe that it, or something like it, is a necessity. Without it, you are risking higher costs, more spam, more... more»
I would say that the active threat detection feature and adaptive rules are the most valuable for us. With active threat detection, we are no longer over-swamped with tons of useless events. As all the payloads from malicious requests are... more»
We added a real-time protection layer for all the web-facing applications and APIs in our CI/CD pipelines. As every one of the applications are updated almost every day, it was impossible to use any tools based on signatures or static rules.
* The export feature and presentation of the results. * The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions). * A wide variety of modern programming languages are supported,... more»
For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon. Checkmarx... more»
The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode. Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode... more»
The most powerful feature is the ability to first learn what type of query to make to your web application when it is attacked and what type of query creates a false positive to your app. You can first learn Wallarm in monitoring mode, then... more»
The API gives us the ability to remote control our DNS settings. With many platforms, such as PF-Sense integrating with CloudFlare, it’s an invaluable tool for things such as Dynamic DNS, Let’s Encrypt DNS-01 Challenge, or even as a rapid... more»
* We need templates and profiles badly for the whole setup and multi-user support with rights management. * They need to fix their extensions and integrations faster. * They need to add more sub-level API keys.
* Very easy to configure, which quickly allows us to add significant security to our websites. * Nice dashboard, which shows us details about traffic, security, performance, real-time utilization and an activity log. * Easy to configure... more»
With our IT infrastructure more secure, our customers receive a great website experience without encountering website defacements and other fallout from attacks on our web servers. Our IT department is not spending the time we used to on... more»
An Incapsula website configuration instance can be in a "Pending DNS changes" state, where further work is needing to be done by the customer, while website access is otherwise fully functional. While in this state, the PCI Compliance Report... more»
* FortiAnalyzer (SIEM) integration is useful for us because we collect in this device almost all the security events from the network. We are using exact URL (no default page, no home page) for our e-banking services for enterprises. Then we... more»
I think Fortinet must make an effort in terms of upgrade procedures. There were some troubles upgrading from 5.2.x to 5.3.x, and the problem appeared again upgrading from 5.3.x to 5.5.x: * Upgrading from 5.2.x to 5.3.x. Fortinet provides a... more»
In my opinion, the following features of FortiWeb 4000E are the most valuable & were appreciated during all my previous engagements: * 20 Gbps appliance throughput makes it useful for large enterprise deployment and also meets future... more»
* Operations overhead (administration and escalation management) has been brought down, as Fortinet provides flexible and customizable reporting options with the FortiAnalyzer appliance for logging and reporting. * Rule creation and fine... more»
Product support is a major concern; if FortiWeb wants to become a market leader, then it must provide better after-sales services. The automatic policy learning feature also needs some improvement, as using this feature leads to more false... more»
I would not say it has improved how we function because I think that other leading vendors firewalls are as good. However, I do think that FortiGate can do it at a much better price point than, for example, Cisco ASA or Palo Alto.
The CLI could be improved by removing all default syntax from the config. The debugging of crypto VPN is not as informative as other vendors’ firewalls. The GUI is also not as good as some vendors, but overall as a package and considering... more»
The areas in which this product needs to improve are: * C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported. * There were issues in regards to the JSP parsing. * Defect report... more»
Domain name scanning since it allows us to scan all our domain names and determine whether it has malware or if is reported as phishing. Sucuri also gives us details on content that may have triggered the malware/phishing report.
The product has sped up our ability to detect suspicious domains and alert the registrants or relevant parties. It has also allowed us to share more details on such detections to the relevant parties since the report is comprehensive enough.
* Confident score: Currently it does not have one and there are cases that most websites flagged are false-positives. Since they don’t have it, then we end up manually reassessing the website. It would be good if they had it so we could tweak... more»
I have used the cache feature of CloudFlare CDN. CloudFlare is very easy to set up for my site domain. It is very easy to maintain. CloudFlare flushes the cache immediately, which is not supported by some of the other CDN networks such as... more»
There are some features missing or might not be visible to me as I am using its free website plan. These features are: * CloudFlare doesn't provide the cache flush history. I.e., I am not able to find out the URL information of those I have... more»
HPE Fortify on Demand, Checkmarx, Veracode, IBM Security AppScan, QualysGuard Web Application Scanning
What are the best application security testing tools?
IT Central Station’s crowdsourced platform helps technology professionals make informed decisions, by providing user reviews without... more»
Expertise in developing Web Based Application, Database Applications and Desktop Applications
Working experience in distributed environment and distributed applications
Expertise in ISA Configuration, Network Security include:·
Security Consultant -Team lead at Accenture
Sr Engineer - Security management at Wipro
Service delivery consultant at HP
Sr Engineer network and security at Tulip telecom
Information security policies and procedures
Security compliance, Governance
Firewall (Check point, Cisco,... more>>
Dr Ioannis Syrigos is a Computer and Electrical Engineer, an Entrepreneur, co-owner and Managing Director of Stella Novus LTD, an IT consulting company running several individual online projects (Ancient-Origins.net, Members.Ancient-Origins.net, Evolving-Science.com, EnglishWithJo.com and... more>>
Information Security Advisor, CISO & CIO, Docutek Services
About my business:
Docutek is a leading business and technology consulting company specializing in the development and implementation of healthcare technology since 2008. We deliver Consulting, Integration, Support and Training. We also provide clients with security assessment. network... more>>
▶ Profesional responsable con deseos de crecimiento, orientada al desarrollo profesional. Me gradue en Ingeniería de Telecomunicaciones y especialice Redes IP y Seguridad IT, durante el último año he desempeñado el puesto de Consultora de Seguridad IT. Actualmente estoy en nuevos proyectos y... more>>
Think of a person who understands the role of technology in the business, power of publishing in marketing & branding, knows how to build a website, market it and also scale it! Well, that's me. Hi, I'm Mayank Gupta and I'm your one stop for all the web/digital business requirements.
o SIEM (QRadar, AlienVault, LogStorm)
o Enterprise virtualization (ESXi 5.5/6.0)
o Imperva SecureSphere
o MS SQL Server
• Workshops on various technologies of SQL Server, including:
o Asynchronous multi-threaded request processing
o Scaling out reporting... more>>