Web security scanner Netsparker gets a thorough testing

Web security specialist and Microsoft MVP Troy Hunt has published a detailed review of the web security scanner Netsparker.

Hunt tested the application by pointing it at a test site with "about 50 serious security vulnerabilities" and checking exactly what it managed to uncover.

Netsparker’s finished report highlighted 41 items (10 "critical", 5 "important", 4 "medium", 11 "low" and 11 "information") covering SQL injection, cross-site scripting, transfer of key data over http, cookie issues, out-of-date applications, and more.

Hunt praised Netsparker for its ease of use, and a level of detail which saw "a great explanation that’s very easily legible" (the test report is available as a PDF if you’d like to check it out for yourself).

Unsurprisingly the program missed a number of issues, in particular relating to password issues, and the review breaks these down into 8 high risk problems, 2 medium and 2 low.

Hunt concludes that Netsparker and similar tools can save you time, but they’re no magic bullet: you need to properly understand any highlighted vulnerabilities and how to close them correctly.

It’s a helpful review, and worth a read for anyone interested in automated web security testing. If you’d like to try Netsparker for yourself, a demo of the $1.95K/ year full edition is available, but a more limited (though still useful) Netsparker Community Edition is available for free.