Best practices for performance

The scan engine conducts over 1000 different tests and performs them multiple times.

The following suggestions will help with the performance of a scan:

  1. A firewall turned on between the agent server and the web server affects scan performance and test results. The firewall can block some requests from the agent server, causing it to think that those attacks were not successful and therefore that the web server is not vulnerable against them. Scan performance is also affected by the firewall. For a scan to be faster and produce more accurate results, ensure that the agent server is not going through a firewall.
  2. Scan one application per job, if practical. Ensure that the Starting URL is pointed at a single application and that you exclude any links it has to other applications.
  3. Remove multiple access points to similar pages. The same page or content might be accessed through different URLs. It is best to exclude similar pages from a job to prevent it from unnecessarily scanning additional items and prevent the number of reported issues from being inflated. To exclude items from a job, ensure that your starting URLs start the scan at appropriate places and use the Exclude Files and Paths page.
  4. Set timeouts as low as possible. Timeouts might affect the accuracy of the tests by creating false negatives. Timeouts are set on the Connections page.
  5. Set concurrent connections as high as possible. Concurrent connections are set from the Connections page.
  6. Add any links that might cause the scan to log out of the application to the Exclusions page. Exclusions are added from the Exclude Paths and Files page.
  7. Add session IDs to filter out looping applications, such as web-based calendars, and URLs that do not provide unique content. For example, the following URLs should only be found once by the scan because they are not unique:
  8. Use Automatic Form Fill with care. This content scan job feature is used to automatically fill out forms that it finds, so that the scan can continue through an application. But there are positive and negative aspects of using it with a security scan. On the positive side, it can discover new areas of the application that are hidden behind form submissions. On the negative side, it can potentially seed any backend database systems with "dummy" data.