Which open-source vulnerability scanner is right for you?

Are you considering using an open-source vulnerability scanner to secure your web applications? In some cases, this is an excellent idea, but in other circumstances, it may reduce your initial costs only to greatly increase them later. Let us guide you and show you the factors you should consider as well as some of the recommended choices.

What is an open-source vulnerability scanner?

Let’s start with a clear definition, as you will likely see the term open-source vulnerability scanner used in two completely unrelated senses:

1. A vulnerability scanner developed as open-source software (OSS), where the source code is freely available for modification and redistribution
2. A vulnerability scanner designed to scan open-source dependencies – in other words, a tool for software composition analysis (SCA)

Since the latter definition is basically an alternative term for SCA, this post focuses on tools that meet the first definition: community-built vulnerability scanners with open-source licensing.

To confuse matters further, the term vulnerability scanner is also used with two different meanings:

1. Network security scanners, which are mostly signature-based security tools that look for known software and known vulnerabilities (CVEs) by scanning on open network ports
2. Dynamic application security testing (DAST) tools that look for new and existing web vulnerabilities by safely sending test attack payloads to a running web application

Again, the term network security scanners is well-established in the industry, so this post refers to open-source vulnerability scanners in the second sense: free vulnerability scanning tools with openly available source code that look for new and existing security vulnerabilities in web applications.

What open-source vulnerability scanners are available?

When searching for an open-source tool on Google, you will find a lot of articles with very promising titles, such as “Top 10 Open Source Vulnerability Assessment Tools” or “10 Paid and Open Source Vulnerability Management Tools to Help Your Company Seek and Fix Security Gaps.” We’ve had a look at these lists, and we were horrified. Most of these articles are either completely outdated or freely mix up not only network security scanners with dynamic application security testing (DAST) but also vulnerability scanning with vulnerability assessment and even vulnerability management. For example, the tool list supplied by OWASP includes both Grabber, which was last updated in 2006, and OpenVAS, which is an excellent network vulnerability scanner but with very little signature-based application security testing functionality.

Other articles that ranked highly in Google were just as outdated. Consulting Invicti’s own security experts, we discovered that the choices for an open-source vulnerability scanner are severely limited. Some tools, which were highly praised and popular in the past, had their last repository updates ages ago, for example, w3af 3 years ago and Vega 8 years ago. Clearly, with the quick developments in the web application security field, these cannot be suitable for any serious use, and any article still recommending these tools in 2022 is doing more harm than good.

Our research indicates that three tools are still in active development and can be used as web application security scanners, though they are primarily penetration testing tools: OWASP Zed Attack Proxy (ZAP), Wapiti, and Nuclei. If you’re looking for an open-source solution, you will most likely be choosing from these three, of which only ZAP has a GUI (Wapiti and Nuclei are command-line tools). ZAP is also backed by OWASP and has more features.

When would you choose an open-source scanner?

An open-source vulnerability scanner such as OWASP ZAP can be a good choice in simpler use cases, such as occasional penetration testing, research, and education.

A free security tool will likely be your starting point if you’re studying computer science or IT security, or you are simply enthusiastic about cybersecurity and want to learn about web application security and ethical hacking. You have a huge choice of open-source projects to support you on your learning journey, as well as some excellent free learning resources such as our Invicti Learn. You have projects such as DVWA and bWAPP, which offer you intentionally vulnerable applications to set up on your local host and learn to hack. There are many open-source attack tools and environments, as well as manual proxies that help you observe traffic between the attacker and the application. Among these free tools is OWASP ZAP, which helps you discover vulnerabilities in test sites and your own applications so you can learn more about web application security.

Open-source penetration tools, including vulnerability scanners, will also be your go-to if you’re an ethical hacker working on your own as a freelancer and making a living by following the public vulnerability disclosure policies of various businesses and scoring on bug bounties. A free tool such as OWASP ZAP will be a good choice because you are focusing squarely on penetration testing, not vulnerability scanning or vulnerability assessment. Your work ends when you find and report a security issue because it’s the client who has to worry about remediation. Open-source vulnerability scanners will be useful because they may automatically find some obvious vulnerabilities that you can potentially follow up on to craft a successful attack and claim a bounty. Because you are working with single targets, dealing with the high proportion of false positive results from free tools will often still be worth the effort. However, many ethical hackers start with free tools but after scoring enough bounties decide to invest in more accurate professional tools such as Invicti or Acunetix.

And finally, one business use case where a free tool might make sense is if you’re a one-man-band “IT guy” or a developer in a very small company that does not have the budget (or does not care enough to have the budget) to spend money on web application security – but you personally care and know enough to also keep an eye on web security (and have the time to do so). In this case, learning and occasionally running this lite scanner, going through the results in your own time, and fixing at least the most obvious SQL injection and cross-site scripting (XSS) vulnerabilities is definitely better than nothing.

When is using an open-source scanner a bad idea?

On the other hand, there are many situations where using an open-source vulnerability scanner will not improve web application security much or will generate additional costs despite the tool itself being free. As a general rule, this will be true for most business use cases where you are building a systematic web application security program.

If you’re a small company only getting started with web application security, you’re likely interested in keeping costs down, so open-source vulnerability scanners may seem a tempting option. However, if you decide to go for one, you need to consider the human resources needed to use such a tool. You will likely need to hire or outsource someone to use the scanner because your IT department (if you have one) is unlikely to have the necessary skills. Your administrators and developers may be able to learn about web application security but most likely have little or no experience in it and it would be many years before they could use such tools effectively. Even if you have the budget to hire someone like this, you are likely to have problems finding them because we’re facing a huge cybersecurity talent gap. In this scenario, your best choice could be to outsource to a professional MSSP that offers web application security testing as part of their services.

If you’re in a medium-sized or larger business, you most likely don’t need convincing that a manual penetration testing tool such as OWASP ZAP won’t work as the foundation of your web security program. You know your security backlog, you know your security testing and remediation headaches, and you know the pitfalls of DIY security. You know that web application security in your environment needs to go way beyond the basic vulnerability testing offered by manual tools such as OWASP ZAP. You need automation, authentication, comprehensive assessment, cloud solutions, and integration with multiple tools – and existing open-source tools cannot provide any of these. You also know the time and effort that can be wasted on false positives and want a more reliable solution. And in the words of Invicti’s Distinguished Architect, Dan Murphy: “ZAP is a good tool if you know how to use it; otherwise, expect to spend a lot of time looking through false positives.”

Know your needs and choose wisely

Invicti is an industry leader in web application security testing, so we know there is a huge difference between running an occasional test and ensuring systematic security. If you are considering an open-source vulnerability scanner and you fit one of the scenarios where its limitations are not a problem, then a penetration testing tool like OWASP ZAP or one of the other few scanners that are still under active development could be a good fit for you. They are great tools for beginning your AppSec journey, getting into ethical hacking, or manually running single tests on small environments.

If you need automated vulnerability testing on a larger scale, the available open-source tools will not be a practical solution, and despite the low price of free may end up costing you more than you saved. Any sizable organization will be better served by a commercial application security product that can cover large application environments and integrate into development pipelines.

So know what you need – and please stay away from clickbait articles!

Frequently asked questions