As most of you know we are working on a new product; Netsparker Cloud. We are already planning the release so it should be available to the public very soon. In the meantime you can still apply for a Netsparker Cloud trial, so go ahead and give it a shot. As the name implies, Netsparker Cloud is an online web application security scanner. Since we are providing both a desktop scanner and an online scanning solution, people started asking us which option should they go for, or which one is the best.
As such no product is better than the other. It all depends on your requirements. In this article I will take a deeper look into each of the products' scopes and features to help you come up with your own answer.
Both the Netsparker Desktop (a.ka. Netsparker Web Application Security Scanner) and Netsparker Cloud are built around the same crawling and false positive free scanning technology. Therefore in terms of web applications coverage, detection of vulnerabilities and security flaws you will always get the same results from both solutions. And as we all know, Netsparker has an industry leading scanning technology.
The main differences between the desktop and online scanners of Netsparker are the features, which of course define their scope. The desktop edition of Netsparker was built for those who mostly do penetration tests on their own, and scan a medium number of websites. Although we have seen a number of implementations where multiple installations of the Netsparker Desktop edition are being used to scan hundreds of websites on a monthly basis.
Netsparker Cloud is specifically built for large organizations who would like to scan many websites and web applications and ensure their security in the long run. By many we also mean in the hundreds and thousands of web applications. Netsparker Cloud is a multi user platform that has several features and tools that allow big teams to collaborate. This does not mean smaller organizations cannot use Netsparker Cloud though.
This is the major difference between both scanners. The resources of Netsparker Desktop are limited to the specifications of the hardware it is running on. It was designed to scan one or a few web applications at a time. If you would like to scan multiple websites at the same time you can manually launch multiple instances of the desktop scanner. On the other hand Netsparker Cloud is a hosted web vulnerability scanner hence it is not limited in terms of resources. It has virtually unlimited amount of resources thanks Amazon’s Cloud (AWS) infrastructure and can scan thousands of web applications and websites at the same time.
In Netsparker Cloud you can group websites. This allows you to configure generic scan settings for all the websites in a group, launch a web security scan against all the websites with just a single click and also schedule automated security scans of all websites in that group.
Follow us on our web application security blog and you will notice that we frequently release software updates. Infact the list of vulnerabilities checks of the Netsparker scanning engine is ever growing. It is our duty to release frequent updates and ensure that all Netsparker users can scan their web applications against the latest security threats and vulnerabilities. The response time for releasing new security checks is also critical especially when a critical vulnerability such as Shellshock is discovered and being exploited in the wild.
In case of Netsparker Desktop, each time you launch the scanner it will check for updates and advice you should there be any available. Very practical solution, it only takes a minute or two to get the latest updates. With Netsparker Clouds things are even easier, it is maintenance free service. As soon as we discover something new, we update the service ourselves from a central location and the updates are automatically available for you.
Typically desktop software is far more configurable than an online service. The reason is because an online service is built around an engine that is designed to cater for a wider variety of customers hence it has less configurable parameters, resulting in a number of limitations. This is not the case with the Netsparker scanners. Anything that can be configured in Netsparker Desktop can be configured in Netsparker Cloud, such as the URL rewrite rules and other crawling options, HTTP connection properties and all the other scan policy settings.
Netsparker Desktop is designed for a single user; a desktop application that can only be run by the user who has access to the computer where it is installed. Netsparker Cloud is a multi user environment, therefore all your team members can have their own user under the same Netsparker Cloud account and launch web application security scans, view reports etc. As an administrator you can configure different privileges for each user, hence some of them can be configured to view scan results and reports only, while others manage a websites group etc.
Like in a bug tracking system, in Netsparker Cloud you can assign identified vulnerabilities as tasks to a team member so they can remediate the vulnerability. Such feature is definitely a must have especially when you need to keep track of the security of many web applications.
Once the issue is marked as fixed from the developer, Netsparker Cloud will automatically rescan the website just for that vulnerability. If the vulnerability is fixed the task is automatically closed though should the website be still vulnerable, Netsparker Cloud will reopen the task and reassign it to the developer.
The vulnerability management system is designed to ensure every user knows what needs to be done and for the results and fixes to be checked automatically by Netsparker Cloud. If you already have a bug tracking solution and want to use it Netsparker Cloud can be integrated with your own bug tracking solutions as well.
Both the desktop and cloud editions of Netsparker can be easily integrated within your SDLC and Continuous Integration process. Netsparker Desktop has command line support; you can easily write scripts which can be triggered by other applications and launch automated scans. Netsparker Cloud has an extensive and well documented API which you can use to trigger any type of action you can do from the Netsparker Cloud dashboard.
Launching a single web application security scan and remediating the identified vulnerabilities can be quite difficult. It is even more difficult and demanding to frequently scan all web applications and ensure that all vulnerabilities are remediated, or even worse, that the applied fixes do not open new security flaws. Keeping track of all the changes and fixes in web applications is vital to better understand how to address specific vulnerabilities and security issues.
If you are using Netsparker Desktop you can compare different scan results of the same website. This allows you to pinpoint the differences between the web application security scans and keep track of all the issues. It is very easy to compare different scan results, though it can consume a lot of time and become a confusing process when you have a lot of websites.
And this is where Netsparker Cloud shines. As explained earlier in this article Netsparker Cloud was designed to help you scan and keep track of the security state of many web applications. It has trending and correlated reports which are automatically updated each time a website or web application is scanned. Hence you do not need to manually compare results but can easily get an overview of what is happening on the website in terms of vulnerabilities and fixes from these reports.
From time to time you might need to manually crawl a website or a section of it. To do so you need to proxy the traffic through the scanner so it will capture it, identify attack surfaces and then scan them. Netsparker Desktop can be used for manual crawling though Netsparker Cloud cannot, it is a cloud based product. I am sure you understand the implications of why such a service cannot be used for manual browsing. Though do not fret if you are a Netsparker Cloud user and you need to do manual crawling.
Even though manual crawling is not supported in Netsparker Cloud you can still achieve the same results. You can configure a browser to proxy the traffic through a local proxy such as Fiddler for example and capture the traffic. Once you capture all the traffic you can import the Fiddler capture to Netsparker Cloud and launch the scan. Your experience won’t be the same and interactive as with Netsparker Desktop, but it will do the job when manual request entry is required.
I am sure that by now that you have a better understanding of both Netsparker Desktop and Netsparker Cloud. To summarize, if you are a small team and do not have many websites to take care of, and you want to be more hands on with your scans; Netsparker Desktop is your best candidate. If on the other hand you operate in a big team and have many websites and web application to secure, and need all the right tools to ensure both collaboration between all team members and the security of all web applications, Netsparker Cloud ticks all the checkboxes for you.