Commercial WebApp Security Tools Are Too Restrictive

By Anastasios Laskos, Founder, General Manager, Head of R&D, Ecsypno

Commercial dynamic application security testing (DAST) tools for assessing vulnerabilities in Web apps impose multitudes of restrictions that have never hindered open source options. However, due to the amount of R&D required and the technical challenges of building DAST tools, there has long been a huge quality gap between commercial and open source in favor of commercial products.

For a long time, the free and public source Arachni Web application security (WebAppSec) scanning framework helped close that gap, offering quality, affordability, and an unrestricted set of DAST features. However, it has not been maintained for several years due to lack of funding.

As a result, the industry is left wanting.

Common Restrictions in Commercial DAST tools

Commercial DAST tools impose restrictions on users including:

These restrictions have ramifications for businesses — small, medium, and large.

Small Businesses

Smaller companies will fill their continuous integration and continuous development (CI/CD) pipelines with multiple specialized (often free) tools of low quality and severely limited technological capabilities. Many of these tools are stuck in the pre-HTML5/JavaScript days with mediocre and outdated understanding of the document object model (DOM). Using these tools is messy, plus the coverage is severely lacking for any modern Web application.

Midsized Businesses

Midsized companies see the same issues as smaller organizations. Many, however, have a somewhat sophisticated DOM-aware DAST solution, but at significant expense to the business.

Large Enterprises

Large businesses invest in extremely expensive DAST solutions with costs that scale upward very quickly as their DAST use scales.

All organizations need an affordable, sophisticated, and scalable solution for testing Web app security that easily integrates into their CI/CD pipelines. It's almost impossible to get all those attributes together, however.

Current State of Affairs

Security has always been a necessity, although it is often initially treated as an afterthought or a nice-to-have, only to later become paramount in any project's scope — one way or another.

This mentality has slipped into the tools that can help you improve security. But it shouldn't, as it leads to a circular situation where a breach sadly enforces the newfound focus on security.

The restrictive nature of many WebAppSec tools means it's difficult to affordably maximize coverage of your security posture. So, when you decide to take it more seriously, the costs quickly escalate.

More competition may change this state of affairs, but it may take a while to find out. Hopefully, users will soon speak up and drive much-needed change in the software development life cycle (SDLC) and the tools that support it.

About the Author:

Anastasios (Tasos) Laskos is the founder, general manager, and head of R&D of Ecsypno Single Member P.C., creator of Codename SCNR.

With varied experience that spans close to 20 years in the cybersecurity field and DAST R&D experience of close to 15 years.