[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 805
  • Last Modified:

Vulnerability Assessment Tool

I need to acquire and configure a tool that does the automated vulnerability tests against our different application websites?  McAfee has both a SaaS and licensed version of a tool for this. I tried them but had some difficulty getting them working.  
 Note the vulnerability test is different than penetration tests. They require that once per year.  
Can anyone recommend a tool?
6 Solutions
Messus puts out a good one:


Never used it but I know others that have & like it.
Tiras25Author Commented:
it's OpenVAS now.  It forked a couple years ago
nessus is the production one.
Tiras25Author Commented:
I heard a free port scanner tool from the Symantec website that would point out the vulnerabilities from a computer/server.  Anyone used that?
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

you can use a popular one called QUALYS and use a free scan to  perform a comprehensive audit on vulnerability scan on one of your company's web sites or publicly facing IP addresses — and let you know instantly where you're at risk

for moe ip's you;d have to pay


For scanning web applications, as opposed to operating systems and software, hands down the best AND most affordable tool is Burpsuite.

They have a free version that is good if you know how to use it, but for $300 you get the Pro version which has an app scanner, which can do active or passive scanning.

There is also myriad tutorials online to show you how to do more advanced scanning.

There is not a reputable pen tester that does web app testing without this tool.  It will more than meet your web app scanning needs.

Other tools mentioned like Nessus and Qualys are software vulnerbility scanners (windows, java, adobe etc...) are not effective at detecting web vulnerabilities such as XSS and SQL Injection and the other OWASP top 10
Tiras25Author Commented:
Awesome.  Thank you very much!  I will look into Burpsuite.
madunixChief Information Security Officer Commented:
Comodo's comprehensive HackerGuardian scan
Tiras25Author Commented:
I'll try a Burpsuite and see how it works.  So with Pro is it easier to use then the free edition?
Its the same thing as the free version, but it has the scanner, which is very easy to use.
Tiras25Author Commented:
Got.  How is the support for Burp? Are they able to help with the first time user?
Burp does not have technical support.  As I said before though, there are a number of video tutorials online that can give you the basic.  You should look for Burpsuite Scanner tutorials, as that is what you are trying to do.  The other modules, like Intruder and Spider, are more for pen testers.  here are a few things i found just now:

has a bit about the scanner

some more information on how to use the scanner

If looking for other options, you can look at App Scan or Cenzic Hailstorm, Qualys, or Rapid 7.  But then you are talking about $20k and more.

Burpsuite may take a while to figure out how to use, but does an adequate job of web app scanning for a fraction of the price.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now