We changed our name from IT Central Station: Here's why
Get our free report covering OWASP, Micro Focus, Acunetix, and other competitors of PortSwigger Burp Suite Professional. Updated: January 2022.
564,729 professionals have used our research since 2012.

Read reviews of PortSwigger Burp Suite Professional alternatives and competitors

Security Engineer at Secure Network
Real User
Top 5
Very easy to set up because they give you an installer that does everything
Pros and Cons
  • "Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
  • "I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."

What is our primary use case?

We needed it to scan our internal network and web applications. 

Our security team of five people used it. We scheduled some monthly scans for web applications, which were not being used, to check for vulnerabilities and also vulnerabilities on new features.

How has it helped my organization?

Where I worked was a big group where there were many agencies under it, and we did the security for all other agencies. With Acunetix, we cut the time to make infrastructures and web applications (for our colleagues) more secure.

For one application with two or three critical vulnerabilities and some other vulnerabilities, it took like a week to remediate issues because the scan and findings were really fast. 

What is most valuable?

What I found to be valuable was the fully automated scanner because it is really fast. 

Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden.

Acunetix saves on the cost of time because it is fast.

When Acunetix finds a vulnerability, it also checks for a false positive so it can be a 100 percent sure about the issue that it found. The false positives are really low, maybe one percent.

What needs improvement?

I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection. 

They need more customized scans along with a way to edit their default payloads. While you can select which check to do, you can't add which payload to use.

For how long have I used the solution?

I used Acunetix 20 months ago at the last agency where I worked.

What do I think about the scalability of the solution?

The scalability was okay. We didn't need to do much work to implement it into the network or some web applications, so I think it's really easy to scale. We didn't need to do work on it because the solution is adaptable to every environment.

There were about 20 websites and other web applications.

How are customer service and technical support?

I never needed to talk to the Acunetix technical support.

Which solution did I use previously and why did I switch?

They were previously using Fortify WebInspect, which was good, but very costly.

How was the initial setup?

It was very easy to set up Acunetix, as they give you an installer that does everything. You just need to click: "Install".

It takes a maximum of 10 minutes to deploy, if you want to read everything.

We did other configurations to enable the IP address to talk to all the networks.

We also used Acunetix on a Linux server. The deployment process was the same as Windows. It was just another installer, but for Linux.

What was our ROI?

It saved us many weeks of work.

We didn't sell anything with Acunetix, so it was just an improvement for ourselves.

If someone would have hacked us, they probably would have caused much damage. However, now with Acunetix, they shouldn't be able to cause to damage.

What's my experience with pricing, setup cost, and licensing?

I think all the scanners, except Burp Suite, are a bit costly.

Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future.

Which other solutions did I evaluate?

Acunetix is the fastest scanner available compared to applications like Netsparker and Fortify WebInspect. The longest scan with Acunetix, and it was for a huge web application, took only four hours. Other scanners did the job in six to eight hours. 

While I like Netsparker, it is really slow compared to other scanners.

What other advice do I have?

We found 50 unexpected, high vulnerabilities for three web applications. This made our principal a bit mad.

We found three or four DOM-based XSS vulnerabilities using this solution.

It did not require maintenance on our part. We just needed to give it some credentials.

I would rate it as a nine out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Riley Black
Senior Security Analyst at a wellness & fitness company with 1,001-5,000 employees
Real User
Increased productivity, helped build and improve security and development departmental relationships
Pros and Cons
  • "Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."
  • "Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"

What is our primary use case?

Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.

We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production -  where the potential impact is much more costly. 

We have discovered opportunities to make our code even better thanks to Veracode!

How has it helped my organization?

Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. 

Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.

In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security. 

What is most valuable?

Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components.

SAST - During a build process, we have integrated the Veracode Static Scanning (SAST) component which provides an excellent first glance at the code moving through environments.

SCA /SourceClear - Veracode SCA / Source Clear has given us excellent visibility into potential vulnerabilities found in third-party components, packages, frameworks, and libraries.

What needs improvement?

Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.

That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.

For how long have I used the solution?

I have been using Veracode for about two years now.

What do I think about the stability of the solution?

It seems to be very stable, no problems thus far.

What do I think about the scalability of the solution?

It has lots of growth potential, lots of room for improvement.

How are customer service and technical support?

Exceptional!

Which solution did I use previously and why did I switch?

Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.

How was the initial setup?

The initial setup very straightforward and integrations were up and running in a matter of days after purchase.

What about the implementation team?

Implementation was in-house (Deployment, Automation Engineers, Myself)

What was our ROI?

Unknown - productivity and time are measurable, possibly as much as 20%. Improvement in cross departmental relations is priceless!

Which other solutions did I evaluate?

We also evaluated WhiteHat Security.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Consultant at a tech vendor with 11-50 employees
Consultant
Top 10
Good reporting and integrates well into the software development lifecycle
Pros and Cons
  • "It is really accurate and the rate of false positives is very low."
  • "Support response times are slow and can be improved."

What is our primary use case?

We are a distributor for Rapid7 and AppSpider is one of the products that we implement for our clients.

It does a scan that performs about 100 checks on web applications and produces a clear report on all of the vulnerabilities that are found. It is a dynamic scanner.

What is most valuable?

The reporting is very nice. There are many different reports and they include remediation details such as links as to where you can find patches.

It is really accurate and the rate of false positives is very low.

It can be integrated with the software development life cycle, which our customers have found very useful. It also integrates with Jira and other ticketing solutions.

What needs improvement?

With AppSpider, you can scan only one application at a time. If you have AppSpider Enterprise then you can connect one or two more scanners and scan multiple applications at one time.

Support response times are slow and can be improved.

For how long have I used the solution?

I have been working with Rapid7 AppSpider for a month or two.

What do I think about the stability of the solution?

AppSpider is pretty stable.

Which solution did I use previously and why did I switch?

I have tried a couple of open source solutions like Burp Suite but nothing that is in competition with AppSpider.

How was the initial setup?

The initial setup is pretty straightforward. If the user has a Windows machine then they just download the file and press Next several times. That's it. The deployment will take perhaps 20 minutes, although if there are network issues then it might take up to an hour.

We deploy AppSpider on a laptop and it is easier that way because you can take it in and out of the domain. You can connect with the web apps where they are.

What's my experience with pricing, setup cost, and licensing?

It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once.

What other advice do I have?

My advice to anybody who is considering this solution is that there are other products out there, and everyone has their own requirements. If AppSpider meets the requirements then it is a great one to implement.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Get our free report covering OWASP, Micro Focus, Acunetix, and other competitors of PortSwigger Burp Suite Professional. Updated: January 2022.
564,729 professionals have used our research since 2012.