What is our primary use case?
We use Acunetix for POC.
We have a scanner site website. We have two web applications, related to banking, that primarily serve our customers. We use Acunetix Vulnerability Scanner to ensure that the APAs that have been exposed to the customers are well-protected and don't have any major vulnerabilities.
We wanted to have some kind of vulnerability scanner which could evaluate our requests and tell us where any vulnerabilities may reside. For that purpose, we use Acunetix scanner.
Originally, we used version 3.12, but they provided us with different products including Acunetix premium and Acunetix 360. We figured Acunetix 360 would be much better suited for our solutions; that's why we are currently using the trial version of Acunetix 360 at the moment.
Within our company, there are around five to ten people using this solution. Some from DevOps, IT Security, and a few penetration testers use it.
What is most valuable?
The reporting is pretty good. I haven't seen reporting of that level in any other tool. It also allows for segregation. If I want to generate a report regarding vulnerabilities, I can simply select that particularly vulnerable section and it will generate a report with all the work in the web application.
Similarly, for PCAD assisting, I can also generate a report — in multiple formats, including PDF, HTML, and doc files.
Segregation of reports is really, really good with Acunetix; it provides us with a lot of in-depth details. This feature stood out when comparing Acunetix with other tools.
It provides me with a list of vulnerabilities that we weren't able to identify when doing manual penetration testing. It located and picked out some hidden vulnerabilities as well, which are hard to spot with the naked eye.
What needs improvement?
The scanning speed could be faster. It digs really deep, so that could be one of the reasons why it takes a while. If I want to scan an application, it's going to take over three to four hours. That's something I think they could improve.
Instead of posting hundreds of requests to find the vulnerability, if it simply had the capability to find that particular vulnerability in the payload itself, that would make a big impact.
The vulnerability identification speed should be improved. It takes more time compared to other tools I have used.
Simply put, Acunetix passes too many payloads in order to identify one part of the ratio. That's probably why it can take a while to identify a particular issue. Other tools are able to identify vulnerabilities with just a few requests. Acunetix takes more time to make certain if a vulnerability exists. That's one of the areas which they can improve on.
The scan configuration could be improved. The first thing that we need to do is set up a site policy and a scan policy. By site policy, I mean we have to choose what kind of technology our site is developed with so that it will only pass payloads related to that technology.
For example, if I'm using MySQL or Python as my backend database, it will only check payloads related to MySQL or Python; it won't check Java or other programming languages.
We have to define the scanning configuration as well as the site configuration each and every time. This has to be done whenever we are adding a new set of sites or domains.
Other tools provide a list of predefined scan policies, but with Acunetix, we have to create our own every time. We have to spend a lot of time setting up these configurations, rather than just picking them from a vast variety of predefined sets of configurations, which is much easier.
For how long have I used the solution?
We have been using a trial version of Acunetix for about a month.
What do I think about the stability of the solution?
The stability is good. The scans always produce consistent and reliable results.
We used Acunetix to scan three of our web applications.
What do I think about the scalability of the solution?
I think it needs to expand to other operating systems because most organizations use a Linux- based environment, which it currently doesn't support. I think that's a big problem.
How are customer service and technical support?
The technical support is really good. Whenever we experienced an issue, we just scheduled a call. It's not directly with Acunetix, their providers in India got in touch with us.
They are the ones who told us about the product, its features, and its specifications. They are who we speak with if we have any issues or need support. They act as a middle-man between Acunetix and us — they are resellers.
How was the initial setup?
Initially, I believe Acunetix provided us with two solutions. One was a SaaS, which means that they host it on their cloud. They also provide the option to host Acunetix on our internal servers, behind our firewalls, with an on-premise version.
The problem with the on-premise version is that it works only on Windows Servers. I can't install it on a Mac or a Linux-based machine. That was quite challenging for us because all of our cloud infrastructure has been AWS instance, which is of a Linux-based operating system.
As far as security testing is concerned, we would prefer to host Acunetix, on-premise, because everything would be within our firewall. If we wanted to host it on the cloud, then we would have to sign a non-disclosure, because they know what vulnerabilities exist on our site.
For this reason, we generally prefer to host it on-premise so that they will have a restriction within our firewall, so no one can gain access from the outer wall. Setting up the on-premise version of Acunetix is quite challenging and it's not that straightforward because it only supports one operating system.
However, we found it so difficult to host on-premise that we actually had to stop. Instead, we have decided to go for the cloud version. All we have to do is send them our application to scan in their cloud.
What about the implementation team?
We followed an implementation strategy. With our compliance and security team, we followed a procedure with Acunetix so that any vulnerable information that exists on our site remains safe and secure.
We didn't deploy it ourselves because we used their SaaS model. There is no deployment from our side. Initially, we thought of hosting it on our own server; if we did, we would have required a dedicated person to look after the deployment and setup.
Since we don't have a Windows Server, we opted for the SaaS model because the on-premise version is only compatible with a Windows Server. We don't have a license for a Windows Server so instead of purchasing all of the licensing, we just opted for the SaaS solution.
What's my experience with pricing, setup cost, and licensing?
The pricing is a little high, and moreover, it's kind of domain-based. For example, if I have one site that has a lot of sub-domains, they will register all of the sub-domains as individual sites. That caused problems for us.
We have three sites with 10 sub-domains each — so technically 30. We ended up having to purchase 30 licenses, which costs a lot. Instead of paying per site, I think it would be better if they proposed some other kind of pricing and licensing model, like Burp's model. That's why we preferred Burp over Acunetix.
With Burp,10 agents can scan 10 sites. Even if we scale our application, we don't have to purchase a new license. We can reshuffle the agents to scan multiple websites. One agent can scan our site today, and the same agent can scan another site tomorrow. This is the pricing model of Burp, which was perfect for us.
The Acunetix licensing and pricing model is somewhat complicated. If we calculated all of our domains and sub-domains, the sum would be huge. That's why we thought of leaving Acunetix.
Which other solutions did I evaluate?
I believe we also evaluated Zap and Portswigger Burp suite.
What other advice do I have?
The false-positive rate is not that high, but it's not very low either. There were a few false-positive cases that were triggered when we scanned both of our web applications. So, they're not minimal, but they're not high either, they occur somewhere in between.
The time it takes to remediate issues with Acunetix depends on the type of issue. Minor issues can be resolved within a day. Bigger issues, involving debugging from scratch can take around a week.
In total, we experienced about five high-level vulnerabilities, three mid-level, and 17 low-level vulnerabilities. We also found a few DOM-based, cross-site scripting vulnerabilities.
If you're interested in this solution, you have to consider the pricing model, because when your application is scaling, the cost of Acunetix also spikes up. If you want to scale, you need to look into the cost of Acunetix as well.
Also, the on-premise version takes a lot of effort. Maintaining a Linux-based system is a lot easier; it's difficult for some engineers to maintain a Windows-based operating system.
On a scale from one to ten, I would give this solution a rating of five.
On the positive side, they have a good reporting module and scanner, which is capable of identifying most vulnerabilities. On the negative side, I think the on-premise version needs to be improved. Rather than sticking to one operating system, it needs to support multiple operating systems.
Apart from that, the pricing model also needs to be revisited. If you want to scale an application, you have to spend more money with Acunetix because it uses a domain-based pricing model, which is not something I like using. For these reasons, I am giving Acunetix Vulnerability Scanner a rating of five.