How web app testing should be done: Netsparker by Invicti
The web footprint of even small organizations can be astoundingly wide. Multiple departments or their outsourced contractors contribute materials and content, often on new domains, and this is published over many hundreds of sites.
Sometimes, too, entirely new web apps get created outside the remit of cybersecurity personnel. Any organization that has been in business for just a few years will have accumulated quite the library of websites, applications, APIs, and web services — the bigger the company, the greater the volume.
Even the professionals in charge of managing all these online items and resources may not be entirely cognizant of the extent of their publications. In all likelihood, there will be forgotten subdomains, web forms for long-since passed event sign-ups, test pages that have been left live, even entire test sites.
For 99% of end-users looking at the organization’s web portfolio, much of the forgotten or hidden presence will either be ignored or never stumbled over, but motivated bad actors can probe every aspect of a company’s portfolio to find an unsecured entry point. These lost or forgotten assets often contain a large number of vulnerabilities that would have otherwise been corrected in a more mission-critical application.
Securing every asset can feel like a near-impossible task, even for organizations with a small web presence. Security teams usually work reactively, patching and correcting as red flags get raised. Even if the CISO could wave a magic wand and correct every JS vulnerability and SQL injection route, the fact remains that code used by malicious hackers moves on. Bad actors will pull version numbers of millions of libraries and other dependencies and actively use revealed exploits on older instances they find in the wild. In short, even if the CISO used that magic wand to wave at the problem, in a few months’ time, there will be new attack vectors open somewhere in the enterprise’s online assets.
Organizations will have their own processes to keep on top of this situation, ranging from the static and manual (like employing pentesters regularly) to the automated (like Burp Suite instances running as cron jobs). No single tool or method provides 100% accuracy on viable exploits; in fact, some automated apps will raise so much red-flag static that their effectiveness is questionable.
However, at Tech HQ, we have been impressed with the metrics exhibited by the Netsparker platform, as evidenced by the platform’s results on the WAVSEP (GitHub repo here) testing environment. Its approach is the same that any tireless cybersec professional would take to keep web assets as safe and validated as possible. There is extensive documentation of the platform’s methods here, but in brief, it covers five main stages to ensure application security, as follows:
Discovery begins the process. Netsparker auto-discovers all web-facing sites and applications, including forgotten or disused resources. Thanks to extensive support for SSO and identity management systems, it can also access areas that require authentication. The crawler renders and parses the complete application, including client-side scripting and dynamically-generated content, even for complex single-page applications (SPAs) with anti-CSRF protection.
The platform detects vulnerabilities using a combination of dynamic (DAST) and interactive (IAST) methods. The scanner attempts to safely exploit each vulnerability to prove it is not a false positive and provide a severity rating. That capability (which the company calls Proof-Based Scanning) means security teams can confidently trust the tool’s results and avoid manually verifying each vulnerability reported by the scanner. In addition to the proof of exploitability, the Netsparker scan results contain everything needed to resolve the issue (including the exact location if the IAST agent is installed).
Because results confirmed by the scanner can be trusted not to be false positives, efficient organizations can integrate Netsparker into their issue tracking and CI/CD tools using built-in support for many industry-standard platforms. Such integration effectively removes the security testing bottleneck that plagues so many organizations. This process is supported by automatic fix re-testing via two-way integrations to ensure vulnerabilities are properly fixed before the issue is closed. Developers get actionable tickets complete with remediation guidance to make the best use of their time and produce more secure code in the future. This improves not only work efficiency and application security but also relations between the developer and security teams.
The last stage of working with Netsparker is continuity of protection. Remember the CISO’s magic wand? Now, it can be waved any time you need! You can launch as many scans as you need, when you need them, even triggering tests from the development pipeline if necessary. Theoretically, Netsparker should find fewer and fewer issues over time as your teams fix existing vulnerabilities and improve their development. Unfortunately, cybercriminals are also improving their methods over time, so the ability to build security testing into the development process with Netsparker is crucial for the security officer’s peace of mind.
Netsparker’s accuracy combined with extensive automation support means that security engineers can spend much less time investigating low-priority issues and weeding out false positives. Developers are directly involved in the security testing process thanks to Proof-Based Scanning to ensure that their efforts are always guided to the right place with the right supporting information.
Every security professional in the organization already has plenty to do, so adding Netsparker will help them focus on higher-value (and more interesting) work. As the only application testing tool of its type to identify 100% of the vulnerabilities in the WAVSEP test environment and with a tiny proportion of false positives, we would recommend the Netsparker platform as a proven solution. You can undertake your own tests during a free trial after signing up for a demo with a Netsparker expert.
27 January 2023
25 January 2023