Acunetix has primarily been used for application security, and it has also been used for vulnerability management, though not as extensively because Qualys Guard Total Cloud solution was being used for scanning cloud assets.
Qualys Total Cloud was used to scan cloud assets. Earlier, when using CLI tools like Troller, there was not much visibility because the reporting section from the CLI tool was not that helpful. However, when using Qualys Guard, the Total Cloud offered advanced reporting features and had the option to share vulnerability reports directly via email, allowing the end participant's email address to be entered for automatic report delivery.
The crawling option in Acunetix is really good because whenever a scan is initiated, the crawling option provides good coverage about the vulnerabilities identified in the application. The attack option that comes after crawling is quite good. When the application is configured in authenticated scan mode with Acunetix, it provides good visibility about the security vulnerabilities in the application.
The experience with Qualys Total Cloud was really good, as when Qualys Guard was used to scan cloud security assets, it identified the vulnerabilities and helped differentiate between valid findings and invalid findings. Qualys Guard is called Total Cloud, which means cloud assets are scanned regardless of any environment, whether it is GCP, AWS, or Azure.
Improving the handling of false positives would be beneficial because it can be challenging to trust the findings flagged by Acunetix, and those findings must be manually validated. Sometimes the scanner shows a vulnerability count exceeding 100, and manually assessing the findings can be quite a challenge.
The main concern is related to false positives; Acunetix needs to work on identifying valid and invalid findings. While Checkmarx has very good coverage, its pricing is quite high. If Acunetix improves in handling false positives, it will make a significant impact in the security world.
Acunetix has been used for a long time, about five to six years, along with Netsparker and other automated scanners.
The experience has been pretty smooth without crashes, downtimes, or performance issues with Acunetix.
Acunetix is quite scalable.
The tech support from Invicti for Acunetix is really good. Whenever a support ticket is raised, their SLA is quite nice. For high-severity issues, they reach out within two to three hours, and for critical issues, a response is received within 15 minutes.
The tech support would be rated an eight out of ten.
As far as experience is concerned, only Checkmarx SAST tool has been worked on, and no other Checkmarx products like Checkmarx One are used.
Rapid7 Nexpose has been used, but no other Rapid7 products have been explored. Additionally, Qualys Guard and Qualys VMDR Vulnerability Management Detection Response solution have been worked on.
The setup process for Acunetix is not that complicated, and Acunetix support can always be reached out to. Whenever Acunetix is onboarded in the environment, the Acunetix team assists with the installation, making the setup quite easy.
The pricing cost is affordable for small and mid-sized organizations, and when compared to Checkmarx, it is significantly affordable, as Checkmarx is quite expensive.
The cost-effectiveness is really good because it comes under the budget of organizations looking to use automated scanners, which really helps and saves time.
Currently, work is being done with AWS cloud security and application security tools such as Burp Suite, and various automated scanners such as Netsparker and Acunetix are also being used, along with vulnerability scanning tools such as Nessus Professional and Rapid7 Nexpose.
Acunetix is good, even though there have been some issues related to false positives. Whenever an automated scanner like Netsparker or Acunetix is used, it takes time to run the scan. Once the scan is completed, the false positives flagged by the scan need to be identified. Acunetix is a good tool because if there is less time and the team needs to perform the security assessment, a manual assessment will take almost a week to assess a large application. However, when an automated scanner like Acunetix is used, the same task can be done within three to four days. Authenticated scans are usually preferred with any automated scanner like Acunetix because it provides much visibility about the application on which the scan is initiated, and the results from authenticated scans are very good compared to unauthenticated scans.
Acunetix was used recently, about three months ago.
Acunetix was not used for AWS because various other AWS solutions are available to determine the vulnerabilities for cloud, primarily using AWS Inspector to scan the AWS cloud. Security Hub is also used to measure cloud security posture management, so when it comes to scanning the cloud, AWS Inspector is primarily used.
Acunetix was hosted on the AWS cloud because when the application was scanned, it was not an on-premises solution; the applications hosted in AWS cloud were scanned using Acunetix.
The integration part has not been explored much because other tools are available, but Acunetix supports YAML files that can be used to integrate those scans into the CI/CD pipeline. However, Acunetix scans have not been integrated into the CI/CD pipeline.
The Acunetix network security component has not been used.
If there is less time to perform manual security assessments, Acunetix is a good option because if a manual security assessment takes almost a week, the same task with Acunetix can be completed within three to four days, which really saves time for the entire team. The results are faster and interactive reports generated by the dashboard can be shared. This helps improve the overall security posture.
The features present in Acunetix are quite good and serve the purpose well.
Acunetix is definitely recommended for scanning, and if someone asks whether they should use Acunetix to mitigate the threats identified in their applications hosted in AWS cloud, it would definitely be recommended.
When the continuous scan approach is used for security compliance, it really helps because the scan is not paused for any reason, like if the application goes down. With the continuous scan operation, the application is continuously assessed by the scan engine of Acunetix, and the results from the continuous scan feature are quite good. The continuous scanning feature has been used.
If an organization has 100 plus applications and wants to use an automated scanner, they should definitely go ahead with Acunetix because it is very cost-effective and will save time compared to focusing on other solutions and performing manual security assessments.
The recommendation for other organizations considering Acunetix depends upon their requirements.
This review has been given a rating of 7 out of 10.
