Web Application Scanning Tool Analysis Christopher Boedicker 09192019

Web Application Scanning Tool Analysis Christopher Boedicker 09/19/2019

Overview Understanding the Company’s Web Application Scanning Requirements Constraints we face Current Web Application Scanning Situation Current & Alternative Web Application Scanning Tools

Web Application Scanning Requirements Conduct annual web application scan in support of Company’s yearly security plan assessment & authorization. Scan before deployment to production server of new application. Scan before requesting a unique exception: Firewall etc. Web application scanning tool must support our unique environment.

Contraints Time of the analyst (assumes 1 FTE): 100% per application Monitoring the scan: 24 -72 hrs Analyzing scan report & creating scan summary email: 2 hrs Assisting the Customer’s developer: 4+ hrs Size of the application: difficult to say, a larger, more complex app will take longer to scan & analyze findings report Current average scan time: Automated: 24 - 48 Manual: 5 Days Current rescan average time: 4 hrs. Number of applications to scan annually: 150+

Current Company Web Application Scanning Progess Number of Web Applications Total scanned to date for 2019 150+ 48 Production 14 Pre-Prod 34 Total Scanned in 2018 74

Pricing of Web Application Scanning Tools Tool Accuracy Avg. Scan Time Cost Web. Inspect 96 % 24 -72 hrs. Enterprise = $60 k Standard (current license) = $6750 x 5 Burp Suite 50 -100% (user controlled) 1 -4 hrs Enterprise = $4 k Professional = $400 IBM App Scan (aka Hailstorm) 92% 1 -4 hrs Enterprise = $18 -30 k Standard = ? Synopsis Seeker (Container Compatible) unknown Enterprise = $2500 Stand-alone = ? Acunetix Web 94% Vulnerability Scanner

Conclusion To Suit our immediate needs, Burp Suite is the best option available, recommend Synopsis Seeker to look at Containers in the near future.