Commercial WebApp Security Tools Are Too Restrictive

Limits imposed by commercial WebApp dynamic application security testing (DAST) tools are counterproductive because they treat security as a luxury.

April 8, 2024

3 Min Read
A screen showing technology icons such as keys, 0 and 1, and wireless signal, in hexagons.

By Anastasios Laskos, Founder, General Manager, Head of R&D, Ecsypno

Commercial dynamic application security testing (DAST) tools for assessing vulnerabilities in Web apps impose multitudes of restrictions that have never hindered open source options. However, due to the amount of R&D required and the technical challenges of building DAST tools, there has long been a huge quality gap between commercial and open source in favor of commercial products.

For a long time, the free and public source Arachni Web application security (WebAppSec) scanning framework helped close that gap, offering quality, affordability, and an unrestricted set of DAST features. However, it has not been maintained for several years due to lack of funding.

As a result, the industry is left wanting.

Common Restrictions in Commercial DAST tools

Commercial DAST tools impose restrictions on users including:

  • Parallel scans: Limiting the number of parallel scans slows you down because you must run bulk scans serially, which also drives costs way up.

  • Number of sites:  Having to check multiple different sites over time can be expensive.

  • Number of pages: Limits on how many pages you can check leaves you with an incomplete picture of your security posture.

  • Time: Restricting time also creates an incomplete picture of your security posture.

  • Pricing: Having just a couple of basic/starter licenses can cost companies thousands of dollars.

These restrictions have ramifications for businesses — small, medium, and large.

Small Businesses

Smaller companies will fill their continuous integration and continuous development (CI/CD) pipelines with multiple specialized (often free) tools of low quality and severely limited technological capabilities. Many of these tools are stuck in the pre-HTML5/JavaScript days with mediocre and outdated understanding of the document object model (DOM). Using these tools is messy, plus the coverage is severely lacking for any modern Web application.

Midsized Businesses

Midsized companies see the same issues as smaller organizations. Many, however, have a somewhat sophisticated DOM-aware DAST solution, but at significant expense to the business.

Large Enterprises

Large businesses invest in extremely expensive DAST solutions with costs that scale upward very quickly as their DAST use scales.

All organizations need an affordable, sophisticated, and scalable solution for testing Web app security that easily integrates into their CI/CD pipelines. It's almost impossible to get all those attributes together, however.

Current State of Affairs

Security has always been a necessity, although it is often initially treated as an afterthought or a nice-to-have, only to later become paramount in any project's scope — one way or another.

This mentality has slipped into the tools that can help you improve security. But it shouldn't, as it leads to a circular situation where a breach sadly enforces the newfound focus on security.

The restrictive nature of many WebAppSec tools means it's difficult to affordably maximize coverage of your security posture. So, when you decide to take it more seriously, the costs quickly escalate.

More competition may change this state of affairs, but it may take a while to find out. Hopefully, users will soon speak up and drive much-needed change in the software development life cycle (SDLC) and the tools that support it.

About the Author:


Anastasios (Tasos) Laskos is the founder, general manager, and head of R&D of Ecsypno Single Member P.C., creator of Codename SCNR.

With varied experience that spans close to 20 years in the cybersecurity field and DAST R&D experience of close to 15 years.

Read more about:

Sponsor Resource Center
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights