Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration.
This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.
Use the products to scan each of your in-scope web applications. Since most scanners are very configurable, it will often be desirable to run multiple scans against each application using a variety of configurations. For example, you’ll likely see very different results from a “point and shoot” scan with minimal configuration versus a scan that is configured to log into the web application and manually trained on how to perform all significant transactions.
While configuring and running these scans, evaluate the products based on the criteria you rated as important during the Preparation phase. For example, if Ease of Use is an important criterion in your evaluation, give each product a rating for this criterion.