What are some good website security scanning solutions?

Unfortunately there are no automated scanners to detect all the types of vulnerabilities in modern web applications (I often hear less than 50%).

Relying only on automated solutions is fraught with shortcomings. Automated scanners can expose the easy stuff, but you need human intelligence to explore and reveal additional vulnerabilities.

With that said, you can refer to this question (and answers) to view a list of popular automated web application vulnerability assessment tools.


Check out the Web Application Security Scanner List from The Web Application Security Consortium (WASC). Note, I'm one of the authors of Watcher which is a free and open source passive vulnerability scanner on this list. This list also includes the Software as a Service scanning solutions.


Perhaps it helps to talk about a real world analog.

Say your customer has a brick and mortar store. How do you verify it is secure?

First you must understand the threat model. Is it a lemonade stand, a convenience store, or a jewelry store? They all require very different levels of security.

Then you must implement the controls required for that type of property. For a lemonade stand, a simple latching fishing box cash register is probably sufficient.

Finally, you must periodically monitor that the controls are working. Bank safes are rated in expected time to crack. There is no perfect security, and some sort of monitoring is almost always part of physical security. In low security environments this usually just happens by the staff being present at least periodically.

Likewise, there is no one size fits all answer in application security, no matter what vendor or consultant tells you otherwise. Perhaps asking a more specific question including details like: Are these sites handling payments? Are there regulatory requirements? If you're handling credit card data, the answer is probably yes. Are there logins? What personally identifiable data is being protected? etc...