FORGOT YOUR DETAILS?

YOU ARE HERE: HOMEAcunetix web vulnerability scanner v12 technical specification can be use for technical lock down for the open tender?

Acunetix web vulnerability scanner v12 technical specification can be use for technical lock down for the open tender?

Step-by-Step Guide to Secure Software Development 2

This is the same topic cover before and expand it and updated for cover v12 scenario and context.

Depend on the final combination of the package offer, you may pick and mix the following into the case you work on:

Appliance scenario

  • Depend on your deployment scenario, it may either physical server appliance (pre built with Windows Operating System Server Standard or Higher, 8-16GB memory, depend on how many target you need to cover).
  • on top of the server, high performing laptop and workstation is also common deploying platform, you need to check how it intent to be use.

Software license only scenario

  • You need to provide technical software only and edition technical information.

Bundled with implementation service scenario

  • It common to bundled with implementation service, from project management (cover project kick off meeting, installation, deliver installation SOP, assist scanning and generate for target website report, knowledge transfer, operation SOP, project final sign off UAT)

Bundled with training service scenario

  • The product due to have mainly auto in operation, it is very appeal to technical hard core user with multiple more days hand on training, from make use of various advanced pentest tool showing user actually how to use them in their own operation context
  • it can be bundled with advanced manual dynamic application security testing (DAST) tool perform those functionality Acunetix can not be cover,  and make it completion as the end to end solution for customer (it also common for bundled with static application security testing SAST or web application firewall (WAF) under bundled scenario and context to make it unique

Bundled with post sales local 8×5/24×7 maintenance support scenario

  • Depend on the actual final deployed scenario, for some customer prefer to access to additional layer of technical support, cover the normal business day support, or 24x7x365 one to multiple years, from phone, email, remote to onsite incident support.

Typical example for Acunetix lock down spec

No. Requirements

Mandatory

Mandatory Answer (Y/N)

Description of Compliance (Full/Partial/Modification/No, please explain for all description of compliance)

 1. Proposed software should be Standard / Enterprise Edition (or Consultant Edition) with 1 (2 or 3) year License Subscription (LS)  Yes
 2. Software should run on all Windows family Operating systems (like windows 2016, 2019 , windows 10) or Linux operating system.  Yes
 3. The Web Interface of the software should be accessible from all major web browser of choice Mozilla Firefox, Google Chrome, Opera, Microsoft Edge, Microsoft Internet Explorer, Vivaldi, Tor Browser  Yes
 4. Have ability to run up to licensed fix target quantity scan during the subscription period, and each fix target licensed can be repeat scan on demand, on schedule during the subscription period  Yes
 5. Have ability to detect against web applications attacks like; (not limited to)
a. CRLF injection attacks,
b. Code execution attacks,
c. Directory traversal attacks,
d. File inclusion attacks,
e. Input validation attacks,
f. Authentication attacks
 Yes
 6. Should automatically checks for the SQL injection and Cross site scripting (XSS) vulnerabilities  Yes
 7. Check weak password on authentication pages (HTTP or HTML forms)  Yes
 8. Scan Javascript / AJAX applications for security vulnerabilities  Yes
 9. Automatically audits shopping carts, forms, dynamic content and other web applications  Yes
10. Creates professional website security audit reports Yes
 11. Have Report generating facility against the detected vulnerabilities and should give suggestions  Yes
 12. Editing facility for the custom web attacks  Yes
 13. Support all major web technologies like ASP, ASP.net, PHP, CGI etc.  Yes
 14. Different scanning profiles and scanning options should be available  Yes
 15. Should re-audit website changes  Yes
 16. Compare scans and find differences with previous scans and discover vulnerabilities  Yes
 17. Should discover directories with weak permissions  Yes
 18. Able to find out the dangerous HTTP methods that are enabled on the web server  Yes
 19. Able to automatically crawl on suppress area  Yes
 20. Scanner should able to detect and report the real vulnerability  Yes
 21. Should avoid from being detected by IDS/IPS evasion when launch attack  Yes
 22. Able to automatically collect evidence from target after target has been compromised  Yes
 23. Support comprehensive reports to assist on escalation process to remediate the vulnerabilities  Yes
 24. Should provide the web owner and web developer the web threat and solution on how to be fixed  Yes
 25. Should supply together with advanced manual web application pentesting tool that can be extend the application security testing functionality and feature that Acunetix do not cover but essential to include for end to end, advance and complex testing  Yes
 26. Should provide a range of regulatory compliance report. Please specify the regulatory compliance; (for enterprise and consultant edition only)  Yes
 27. Able to point a line of programming where vulnerability has detected for ease of mitigation  Yes
 28. The proposed system solution should have a Principal Regional Expert Partner status Technical Support office in Malaysia that provides 24×7 technical support.  Yes
 29. Vendor must also work together with Principal Regional Expert Partner to perform the implementation in accordance to “best security practice”  Yes
 30. Perform configuration fine-tuning, database optimization, logs backup and archiving, upgrade version upon availability.  Yes
 31. The proposed solution must include authorized support letter from Principal Regional Expert Partner.  Yes
 32. Experience in supplying Application Security Testing (AST) software related to propose software brand solution. Please list/attach related information in Appendix with project name, year, department, personnel name, contact person email and phone  Yes
For customer and partner want more detailed technical lock in can consider selective put the below Web application security scanner evaluation criteria into tender specification as well (remark: put those Yes only. Furthermore, certain function is edition dependency, if you are unclear, once you finish your final technical document, let us go thru with specific edition in mind, to make sure you are not accidentally make the specification yourself also can not be compliance with specific edition of scanner in mind):
Acunetix Web Vulnerability Scanner features
Protocol Support
Transport Support
HTTP 1.1 Yes
HTTP 1.0 Yes
TLS1.1 or above Yes
HTTP Keep-Alive Yes
HTTP compression Yes
HTTP user agent configuration Yes
Detection of mobile friendly version of website Yes
Proxy Support
HTTP 1.0 proxy Yes
HTTP 1.1 proxy Yes
Authentication
Full support for a variety of Authentication Schemes
Basic Yes
Digest Yes
HTTP negotiate Yes
NTLM Authentication Yes
HTML Form-based
Automated Yes
Scripted Yes
Non-Automated Yes
Single sign on Yes
Client SSL certificates Yes
OAuth-based authentication Yes
Session Management
Comprehensive Session Management Capabilities
Start a new session Yes
Session token refresh Yes
Session expired Yes
Reacquire session tokens Yes
Session Management Token Type Support
HTTP cookies Yes
HTTP parameters Yes
HTTP URL path Yes
Session Token Detection Configuration
Automatic session token detection Yes
Manual session token configuration Yes
Session Token Refresh Policy
Fixed session token value Yes
Login process provided token value Yes
Dynamic token value Yes
Crawling
Web Crawler Configuration
Define a starting URL Yes
Define additional hostnames (or IPs) Yes
Manual Crawling Yes
Define exclusions for
Specific hostnames (or IPs) Yes
Specific URLs or URL patterns Yes
Specific file extensions Yes
Specific parameters Yes
Limit redundant requests Yes
Supporting concurrent sessions Yes
Specify request delay Yes
Define maximum crawl depth Yes
Training the crawler Yes
Web Crawler Functionality
Identify newly discovered hostnames Yes
Support automated form submission Yes
Detect error pages/custom 404 responses Yes
Redirect Support
Follow HTTP redirects Yes
Follow meta refresh redirects Yes
Follow JavaScript redirects Yes
Identify and accept cookies Yes
Support AJAX applications Yes
Crawl Preseeding using
HTTP Archives (HAR) Files Yes
Fiddler Exports (.saz) Yes
Burp Saved Items and Burp State Files Yes
Acunetix Sniffer Log (.slg) Yes
Parsing
Web Content Types
HTML4 Yes
HTML5 – Advanced HTML5 Parsing via Acunetix DeepScan technology that
implements a rendering engine that is in widespread use
Yes
JavaScript Yes
VBScript Yes
XML Yes
Plaintext Yes
Java Frameworks (e.g. Spring, Struts and JavaServer Faces) Yes
Flash Yes – Limited
CSS Yes
Web Services (WSDL) Yes
Ruby on Rails Yes
CRUD Yes
REST APIs (including support for WADL & Swagger/OpenAPI) Yes
Character Encoding Support
ISO-8859-1 Yes
UTF-7 Yes
UTF-8 Yes
UTF-16 Yes
Parser tolerance Yes
Extraction of dynamic content Yes
Testing
Testing Configuration
Host names or IPs Yes
URL patterns Yes
File extensions Yes
Web Parameters Yes
Cookies Yes
JSON Parameters Yes
XML Parameters Yes
HTTP headers Yes
Brute Force Prevention
Lack of account lockout Yes
Different login failure message Yes
Insufficient authentication Yes
Weak password recovery Yes
Lack of SSL on login pages Yes
Auto-complete enabled on pass parameters Yes
Authorization
Credential/Session Prediction
Sequential session token Yes
Non-Random session token Yes
Insufficient Authorization
Forcefully browse to “logged-in” URL Yes
Forcefully browse to high-privilege URL Yes
HTTP verb tampering Yes
Insufficient session expiration Yes
Session Fixation
Failure to generate new session ID Yes
Permissive session management Yes
Session Weaknesses
Session token passed in URL Yes
Session cookie not set with secure attribute Yes
Session cookie not set with HTTPOnly Yes
Session cookie not sufficiently random Yes
Site does not force SSL connection Yes
Site uses SSL but references insecure objects Yes
Site supports weak SSL ciphers Yes
Client-side Attacks
Content spoofing Yes
Test for DNS vulnerabilities Yes
Cross-Site Scripting
Reflected cross-site scripting Yes
Persistent cross-site scripting Yes
DOM-based cross-site scripting Yes
Cross-frame scripting Yes
HTML injection Yes
Cross-site request forgery Yes
Clickjacking Yes
Injection Attacks
Format string attack Yes
LDAP injection Yes
OS command injection Yes
SQL injection Yes
Blind SQL injection Yes
SSL injection Yes
XPath injection Yes
HTTP header injection/response splitting Yes
Remote file includes Yes
Local file includes Yes
Potential malicious file uploads Yes
Information Disclosure
Directory indexing Yes
XML External Entity (XXE) Yes
Information Leakage
Sensitive information in code comments Yes
Detailed application error messages Yes
Backup files Yes
Include file source code disclosure Yes
Path traversal Yes
Predictable resource location Yes
Insecure HTTP methods enabled Yes
WebDAV enabled Yes
Default web server files Yes
Testing and diagnostics pages Yes
Front page extensions enabled Yes
Internal IP address disclosure Yes
Support for Google Hacking Database (GHDB) Yes
Server Side Request Forgery (SSRF) Yes
WordPress Specific Vulnerabilities Yes, over 1200 vulnerabilities
Port Scanning (Test for Open Ports) Yes
Malware
Detection of links to sites hosting malware
Detection of Trojan Shell Scripts
Testing Customization
Modify existing tests Deprecated
Create new tests Deprecated
Advanced Scan Control Capabilities
Native Scan Scheduler that does not rely on OS Scheduler (e.g. Windows Scheduler or Unix Cron) with Dedicated Scheduler Application and Optimized Task Queuing. Yes
Pause and resume scans Yes
View real-time status Yes
Define re-usable scan configuration templates Yes
Run multiple scans simultaneously Yes
AcuSensor Agent deployment for enhanced vuln detection and verification, down to the line of code in the web application Yes – .NET, PHP & Java
Support multiple users Yes
Regular updates for the application Yes
Easy to compare the results (dedicated module to compare the results is available) Yes
Command and Control
Scan Control Capabilities
Schedule scans Yes
Pause and resume scans Yes
Vew real-time status Yes
Define re-usable scan configuration templates Yes
Run multiple scans simultaneously Yes
Support multiple users Yes
Remote/distributed scanning Yes
remote/distributed scanning
Command line interface Yes
Web-based interface Yes
Extensibility and Interoperability
Scan API Yes
Integrates with bug-tracking systems Yes
Technical Detail Report
Full request and response data Yes
List of all hosts and URLs Yes
Delta Report Yes
Compliance Report
OWASP Top 10 Yes
WASC Threat Classification Yes
SANS Top 20 Yes
Sarbanes-Oxley (SOX) Yes
PCI DSS Yes
HIPAA Yes
NIST 800-53 Yes
Advisories For Each Unique Vulnerability Type
Vulnerability description Yes
CVE or CWE ID Yes
Severity level Yes
CVSS version 2 Score Yes
Remediation guidance Yes
Remediation code example(s) Yes
Report Customization
Add custom notes Yes
Mark vulnerabilities as false positives Yes
Adjust the risk level
CVSS score Yes
Severity level or other risk quantifiers Yes
Report vulns according to content location Yes
Report Format
PDF Yes
HTML Yes
XML Yes
Manual Testing Tools for the Verification of Results
HTTP Packet Sniffer Yes
HTTP Request Editor Yes
HTTP Fuzzing Tool Yes
Blind SQL Injection Exploit Tester Yes
BruteForce / Authentication Tester Yes
Text Encoding Tool Yes
Dedicated tool to scan the sub-domains (Sub-domain Scanner) Yes
Target Finder, allowing the scanner to easily find web servers on the network Yes
Custom Criteria
Use this section for custom criteria you may have for your organization
Integrates with Integrating system(Jenkins) Yes
JSON injection Yes
XML injection Yes
Deploy in enterprise internal network Yes
Distributed deployment. Yes
Local technical support service Yes
Scan speed Yes
Support for recorded HTTP request/response message input for Fuzz source Yes
Swagger yaml file for Fuzz source (optional) Yes
TOP