What is our primary use case?
Dynamic application security testing is our primary use case. I don't know if it would be used as a primary solution, but as a supplemental solution, Acunetix is very good for scanning applications and finding vulnerabilities.
We're a global organization. We're a large book publisher around the world. We use it globally: China, Australia, Europe, Asia, India, South America, Canada, and the USA. It's a global solution.
How has it helped my organization?
It has been instrumental in supplementing services that we already have.
What is most valuable?
Scheduling of testing cuts down on the manual, tedious activities that go into setting up a test site.
One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that.
What needs improvement?
I would like to see them build up that IAS tool, the Interactive Application Security Testing module that is embedded with PHC. That's a very cool function.
I would also like to see them enhance the database. I don't know what version of OWASP Top Ten vulnerabilities they actually employ for Acunetix, but there are some versions of OWASP Top Ten vulnerabilities out there and I would like to see some PCI included as well within Acunetix. That would be great.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
The stability is great. We have never had any service drops. Whether we have run a web service where we allow our security professionals to access Acunetix over a URL, we have never had any problems with someone signing into the actual server and running Acunetix from a platform; or from an application perspective, where they're launching applications from the desktop of the server. Both have been pretty great.
What do I think about the scalability of the solution?
We are only using Acunetix as a secondary solution. We already employ Qualys as our primary solution but that was getting overworked. We needed to relieve it of some of the workload that we were sending it. What we did was look at a solution like Acunetix to help supplement some of the work that Qualys is doing for us. But since it is a secondary tool, scalability was never really an issue because we weren't asking the solution to scale at all.
How are customer service and technical support?
Tech support is not a 24-hour. It's more of a ticketing-type of solution where you e-mail the support team. We always go through our reseller for support. Response time is average, about a day or so until they respond.
How was the initial setup?
The setup and upgrades could be easier. I would like to see a wizard to take you step-by-step.
Upgrading v7 to v8, we had to do a fresh reinstall. We had to uninstall it and reinstall it rather than just reaching out, grabbing an update and have it fix itself. We had to go into some files and re-input a key and we actually needed to call support to help us with upgrading from 7 to 8. We had to create a support ticket, call one of the resellers of Acunetix, and get some assistance with that.
So a wizard would be great, a step-by-step instructional program that guides administrators or security professionals along the way, especially with upgrades from version to version or initial installs.
They should make it a little easier for security professionals or system administrators to get the software into the actual infrastructure. Without that, people are running around, searching for Wikis and documentation that supports deployment on multiple devices. I know when I was first working with Acunetix and getting it deployed into our environment, we ran across those issues. I would like them to make it a little easier, where automation plays a key in driving deployment of Acunetix, versus a manual installation process.
If you know what you're doing, the deployment of Acunetix can take less than 30 minutes.
What about the implementation team?
Everything was done internally.
What was our ROI?
Return on investment is hard to track because it really depends on the criticality of the vulnerabilities and what the business costs or impact could be if those vulnerabilities were actually exploited. We have a vigorous application security program so testing activities like SAST and DAST must take place. I know if we were to remove our DAST program and not test our websites, we could see an immediate cost-effect as a result. But since Acunetix is used as a secondary tool, we don't know if it actually provided any real cost metrics where we could say: "Okay, because of our use, we have saved X amount of dollars because it found Y amount of vulnerabilities that saved us Z amount of time remediating." Those metrics are not known.
What's my experience with pricing, setup cost, and licensing?
We have a corporate deal and we're almost at the end of that contract. We are looking to renew Acunetix, but we were told that the price was increasing greatly because of some advanced capabilities, or miscalculations of value. It's increasing by 3.5-fold from what the initial quote was. Because of that, we have to go back to the drawing board and figure out cost-to-capability value, versus features that we could get for that same amount.
At the current pricing structure, it doesn't save us money. It winds up costing the program money due to the fact that it's increasing in cost. At the time when we signed up initially, it was very beneficial because of its cost. When we looked at all other vendors and what they were asking, to provide a third of what Acunetix was capable of doing, it was an easy decision. With the IAS modules and everything else that we got as an add-on, it made it a real value compared to all the other competitors out there. But now that it's coming to a cost where it's line with market value, it becomes more of a competition.
Which other solutions did I evaluate?
There were other tools in the running, although I don't remember off the top of my head which ones. At the time, Acunetix was the winner mainly based on pricing and capability.
As I said, Acunetix is a secondary tool for us. We use Qualys as our primary DAST solution and when that gets overloaded we turn to Acunetix to supplement some of the load that we're putting on our prime solution.
Compared to other vendors in the field, the speed of Acunetix is just about average. Something like Micro Focus WebInspect scans about ten percent faster. If you're looking at IBM AppScan it might be five percent faster. We're not looking at a huge percentage difference in the time Acunetix takes to scan versus others.
The false-positive rate of Acunetix is definitely not perfect. No tool is going to avoid all false-positives. The false-positive rate of Acunetix falls - I don't want to say below average - but it's almost the same as everyone else. What I have to say, honestly, is that I do find myself correcting a lot of the false-positives that show up in Acunetix right now. We don't get a 50 percent margin, but I estimate that 25 percent of the reported vulnerabilities are false-positives in Acunetix.
What other advice do I have?
At the current pricing structure, I would tell people to do their research. If you have X amount of dollars to spend in the budget, and you're looking for a good solution, definitely consider Acunetix, but also consider other tools for similar features and functionalities where you may get a little bit more bang for your dollar, frankly, versus a tool that's still maturing as it's starting to take market share. Acunetix is a very intermediate tool. It's not an advanced DAST solution. It's still in its infancy. There's a lot of the solution to still build out, a lot of features to still work on, but it is definitely a tool that's worth looking into. Keep in mind, for that same price structure, you can get more established, more brand-name solutions.
The speed of the solution is about average. I use a lot of DAST solutions and I can't say that I'm blown away by the amount of time it takes to complete a security assessment, but I do like that it's not slow. It's not the fastest tool I've ever seen, but it's not the slowest tool I've ever seen, so it meets my expectations. It is a fast application but I'm not blown out of the water by it.
It definitely meets the benchmark. Like I said, it doesn't fall below expectations. When you're running Acunetix against a site, looking for security vulnerabilities, you're not blown away by the speed, but you're not sitting there for a day-and-a-half waiting for results or waiting for a scan to complete. It really depends on the size of the application and the granularity of that application. Acunetix performs just as expected. It's not a bad thing.
We have very large applications, so it could be less about the solution and more about the depth of our applications. A lot of our applications have special prerequisites that Acunetix just can't expect or predict. A lot of it is giving Acunetix the proper permissions and things of that nature to go in-depth with DAST scans. On average, depending on the application, it can take anywhere from six to eight hours.
We host Acunetix on our own environment. I don't think they have a SaaS solution yet. We host it in an in Azure environment where we put it on our own server - a dedicated server - specialized to doing DAST security scans - and we are happy. We're not unhappy with Acunetix, but we're not greatly excited that this is the best tool ever. But we are very impressed by some of the things that it has been doing. It's that middle ground. It's a good tool. I would definitely recommend it.
The remediation rate is based on the maturity of our development team. Acunetix doesn't provide a format that makes remediation easier. It does what every tool does and gives us the vulnerability, explains the vulnerability, and gives us some remediation guidelines or tips, but that's what everyone does. So it really depends on the workload of our development team, and what backlog they have or what their sprints look like going into the next cycle. It has very little to do with the tool and more to do with the capability and workload of the development teams.
Using it on a secondary basis, we have found some medium vulnerabilities but no critical vulnerabilities which required immediate remediation. What I do notice about Acunetix is that there's a lot of "white noise," a lot of "background noise," things that just don't apply. When filtering those out and removing the false-positives that don't apply to the actual application, we may find one cross-site scripting. That may be a medium vulnerability but not a high vulnerability because of business impact. There are different risk ratios that we apply to different findings, but we haven't found anything critical with Acunetix. It could just be that we don't have any critical vulnerabilities in that environment - although I don't think that's the case. In terms of DOM-based cross-site scripting vulnerabilities, it all depends on the application.
We don't have it deployed on any Linux server. It's on our Windows environment. We have it in Azure, in a cloud, so it's a Microsoft framework that we have Acunetix installed on top of.
All of our users of Acunetix are in development and security roles. The number of users is well into the hundreds. I administrate the tool, I set the roles and also manage users and user interface and interaction. We have a dedicated server team that does maintenance and deployment. If we need to deploy another instance of Acunetix, that is usually done by our server team. They handle all server infrastructure activities. I am the senior security engineer, so I handle all security-related activities.
We don't have plans to increase our usage of Acunetix. We may stop usage. Acunetix is raising the cost of licensing. It's 3.5 times what we were initially quoted. As a secondary solution, we're trying to figure out, is it worth the extra cost just to have it do some supplemental scans for us. We're still evaluating that.
Overall, Acunetix is definitely a seven out of ten. I like the product. It's doing a lot of what its competitors are doing. It's running great DAST scans and it has a rich database of vulnerabilities that it can report and it also provides a web component of its solution where you don't necessarily have to sign on to a physical server or a virtual device to interact. You can, but you can also contact Acunetix through a web interface, which is great. But the interface, in general, is still very simplistic, which may be a good or bad thing. The reporting could be a little bit better. When ending a scan I would like to see more graphical representations, maybe trends from scan to scan, of how the overall maturity is going of the application project that it's scanning or assessing. The reporting is okay. It does give you the option to do PDFs or CSVs. More reporting formats, like an Excel format, maybe an XML format, would be great.
Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA. All findings that Acunetix happens to run across could be sent straight to JIRA. That would increase our remediation rate because it's very seldom that developers read PDFs of security vulnerabilities. One of the things that Qualys does is allow us to integrate into our JIRA environment, into our Jenkins environment, etc. We haven't seen the same capabilities with Acunetix.
Because of these things, I have to give it a seven. It's ultimately a great tool, a great scanner, and you can really rely on some of its findings once it's tuned.