What is our primary use case?
We are doing dynamic code testing with some of our different websites and other applications that we've developed in-house.
Right now, we are doing the basic kick-off the target, control, and see what it comes up with in the report. We haven't done any importing yet.
We are using the Windows onsite solution.
How has it helped my organization?
We have had more success with this particular product being able to control our different applications better than some of the other applications that we have used in the past, as far as checking for vulnerabilities. We know our apps are more secure.
It takes a few weeks just to look at the entire process. We take the reports, send it to the business team, who give it the analysts, and then come up with the remediation plan. Afterwards, we scan it again unless there are critical issues, which are done in less time.
What is most valuable?
The ability to be on the website and test for different vulnerabilities.
We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why.
I can have a scan set up within five to ten minutes by double checking the login script works, so it doesn't take long at all.
We have found a few cross-site scripting vulnerabilities.
What needs improvement?
On the vulnerabilities screen, where you put your target on the drop down, it would be nice to have more choices, not have such limited options.
One thing that we used to be able to do in other applications with a macro was step-by-step filing in the fields of the app and being able to test certain forms. I haven't seen this in Acunetix. This would be a longer macro instead of doing a login, i.e., we are looking for a workflow process.
We have experienced few false positives. Though, it does depend on the application because sometimes it will identify false positives on one application, but not on another.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
The solution is stable.
We have had issues/hiccups during upgrades where their scans worked on some apps better with previous versions. Then, we had to work with their tech support, who were great, to get it fixed for the next version. This has been frustrating, because there have been some tweaks that hurt us from this perspective. This hasn't happened on every release, just a couple.
I am the main user for the product. We also have a couple of other people on staff who run scans.
What do I think about the scalability of the solution?
It seems to be scalable. Right now, we are just using it at our primary locations and and are scanning about 25 different apps. We are looking at the process of being able to scan more than one app simultaneously. It should fit our needs going forward.
How are customer service and technical support?
The technical support has been very helpful, and pretty quick to respond to emails or when I call in.
Which solution did I use previously and why did I switch?
The speed is phenomenal. Some of our applications can do a scan in less ten minutes, even some of our bigger scans. We were using Micro Focus Fortify WebInspect when it is was owned by HPE, and it would take two or three days for it to scan everything. Acunetix can scan everything within 13 hours, which is sort of long time, but still much shorter than the other apps that we were using. So, it seems to be pretty quick and pretty thorough.
We switched solutions because of cost and the timing of the scans was taking too long.
How was the initial setup?
The setup is very straightforward with the database and the way that we use it.
They have a very good support website, so you can find out answers to questions and reach out to the support team.
Downloading and updating the software took ten to 15 minutes (deployment). I am the person who does the deployments and upgrades.
What about the implementation team?
We did the deployment in-house. We did use the Acunetix support when dealing with the install or any type of setup piece. It was seamless, which was good.
What was our ROI?
We found it to improve our processes and findings.
The solution is paying for itself, as our applications are more secure.
We have found several hundred medium to high level vulnerabilities in our applications. In just one application, we were able to identify 75 of these vulnerabilities.
What's my experience with pricing, setup cost, and licensing?
The pricing and licensing are reasonable to a point. In order to run multiple scans at a time, we are going to have to purchase a 100 count license, which is overkill. Though, compared to what we were paying for, the cost seems reasonable.
Which other solutions did I evaluate?
We went with the recommendations of our parent company. This was one of the approved solutions.
What other advice do I have?
It is a pretty good product.
Do a demo and test whatever application that you are using right now. If you have a site where it is more difficult to identify vulnerabilities, or you have issues scanning, use this to check your particular software. If it can handle your more challenging apps, then it will definitely handle the easier, less technical sites.
We view it on a very traditional PC. Aesthetically, you can see what you are looking for. Unfortunately, we don't utilize the dashboard as much as we should and take full advantage of it. Right now, we're pretty much in the infancy of building the solution. It's nice to be able to look at the dashboard and see the vulnerabilities which are there. However, at this time, we not doing the retesting with the scans to clear them out. So, we are not taking advantage of this feature.
We are looking to increase the usage of the product to do multiple scans. We will potentially be increasing the number of applications that we are scanning. We are also looking to add the AcuSensor piece with our Jenkins Pipeline, but we haven't gotten there yet.