.NET is one of the world's leading programming languages. Secure coding in .NET ideally requires a capable .NET code review tool, which can identify today's commonly exploited security vulnerabilities such as Cross-Site scripting (XSS), SQL injection, insecure server configurations and more. Many branded/commercial, as well as open source tools are available in the market today. They have their relative strengths and weaknesses.
How can you find out which .NET scanner best suits your needs? User feedback and professional reviews of code scanners are abundant on the web. Security researchers and academic institutions test these scanners and publish their reviews online, but don’t base your decision solely on their opinions – they do not have the eternal wisdom you have. You'll be surprised to find out how differently each .NET scanner performs on various websites.
Going for leading commercial scanners will typically give you the edge in performance - accurate results with low False-Positives (FP), faster scanning speeds, and the ability to mitigate vulnerabilities faster. The best solutions also give you added functionality like extensive reporting capabilities, pinpointing the weak LOC/s, and even assisting the developers with "best-fix locations", to eliminate multiple vulnerabilities with one single fix.
The top commercial .NET scanner can also be better integrated into the development process, which helps create a secure Software Development Life Cycle (SDLC). It's better suited for Agile/DevOps methodologies too.
If you do opt for an open-source .NET scanner, make sure you are using the trial period to check out the performance of the tool. Most.NET scanner developers offer evaluation licenses for their products. Quite a few test websites, where you can evaluate various vulnerability scanners, are available on the net as well. However, your own website is your best bet for testing any .NET scanner. While the cheaper option, compromises in accuracy are unavoidable.
It's highly recommended you run a scan on a test website while evaluating your next .NET scanner. This is crucial because you may not know the .NET scanner’s capabilities against the target website.