Which scan policy should you use to find everything that matters?

If only Web application security were black and white. We could simply load our scanner without thinking anything through, enter the URL, click Scan, generate a report of issues for someone else to address and be done with it. Sadly I think some people do go about Web security this way but that’s for another discussion. The point I want to make here is that you cannot simply scan your websites and applications using a “best practices” scan policy and expect to find everything that needs to be discovered if the scan is indeed not looking for everything.
Some scanners such as Acunetix Web Vulnerability Scanner do a great job at checking for everything out of the box. Others will make you think you’re getting an in-depth scan such as OWASP Top 10 or similar best practices according to the software engineers who developed the scanner. However, if you look deeply enough you’ll likely realize that when running default or best practice scan policies the scanner isn’t going find everything that matters including flaws that should have been found otherwise.
I’ve seen this time again to the point where, in most situations, I’m configuring my scanners to just check for everything – to “have at it”. There’s too much at stake (continue reading...)