The operational challenges of application security testing
Businesses worldwide are coming to realize that regular and automated vulnerability scanning using a modern dynamic testing (DAST) solution is an essential part of ensuring application security. However, the variety and complexity of environments used for application development and deployment leaves many organizations struggling to get the best results, especially when limited to a cloud-only scanner. Some of these application environments may be internal and not directly accessible from the Internet, perhaps even in a separate physical network or geographical location – and yet all need to be tested.
To help overcome these challenges, Invicti provides the option of installing local scan agents in your application environments at no extra cost. Each agent acts as an additional scanning engine that complements the scanner on the main server. This makes it possible to decentralize scanning and align it with the application environment while still reaping the benefits of centralized scan and vulnerability management. The agent-based scanning model is extremely flexible and can be adapted to a wide variety of scenarios – our white paper on flexible deployment options provides a number of examples.
Invicti scan agents in Windows, Linux, and Docker
Before we get into the benefits of using local scan agents, let’s have a look at the operational basics. You can install scan agents for any Invicti deployment, whether on-premise, cloud-based, or any hybrid configurations in between. Native agents are available for Windows and Linux (currently Red Hat and Debian), but there is also a Docker image that you can deploy in any environment where Docker is used.
The addition of Linux agents has greatly expanded the options of using Invicti in public cloud workloads, as these rely heavily on Linux environments. This is important for scalability and cost optimization, as adding a new Linux virtual machine is a low-cost way to quickly expand capacity and improve performance.
Docker support takes this a step further, allowing organizations to incorporate Invicti scan agents in their Docker-based automation pipelines. A Docker-based scan agent is also independent of the underlying operating system, so scans can be launched from any physical or virtual system that supports Docker. The ability to run multiple dockerized agents on a single host adds another layer of flexibility.
Easy deployment even in complex scenarios
Adding a scan agent to an application environment is very easy. Rather than trying to set up network communication between a central scan server and every environment that you need to scan, you simply put the appropriate agent file in the environment and configure it. This is especially useful for testing in private networks with no direct Internet access.
After downloading the required file from the Invicti user interface and copying it to the right machine, you need to unpack it and modify the
appsetting.json file. For the scan agent to work, you need to provide your Invicti API token and enter a unique name for the scan agent (so you can select this particular agent when launching scans). For Windows and Linux, you will usually also want to configure the agent as an operating system service so it can run in the background to poll the Invicti server and receive scan initiation commands. For more information, see Setting Agent as a Windows Service or Setting Agent as a Linux Service.
By configuring the agent as a service, you also get the option of enabling automatic agent updates to get the latest improvements and security checks as soon as they are released. You can also update agents manually, but in large environments, the automatic update option can be a huge time-saver and a boon for security. For further information, see Auto-Update Support for Scanner Agents.
Scalability and management using agent groups
When you want to scan many targets in parallel, Invicti lets you install as many agents as you need. This can be extremely useful for shortening testing times, for example, by assigning a dedicated agent to each application environment rather than having one central scanner testing all the applications sequentially. Installing an additional scan agent in your environment is very straightforward – you simply duplicate the existing agent file under a different filename and enter a unique agent name in the
With the ability to install any number of agents on multiple hosts, you also need a way to manage them all efficiently. Invicti allows you to group internal agents in a way that suits your environment and then manage agent groups rather than individual agents. To do this, simply select Agents > Manage Groups in the user interface and create agent groups as necessary.
Broader test coverage for improved security
To control incoming and outgoing web traffic for multiple internal environments, many organizations set up a proxy for an additional layer of security and management flexibility. Invicti scan agents are ready to work with proxies – you simply enter the proxy details in the agent’s appsetting.json file (the username, password, and domain) to allow the agent to scan web applications set up behind the proxy.
Invicti’s decoupled scanning architecture enables a wide array of deployment scenarios and this article only scratches the surface. For example, many Invicti users choose to test their applications both with and without a web application firewall (WAF) to get an attacker’s-eye view of their security posture without the firewall interfering with vulnerability testing. Setting this up can be as easy as adding an internal scan agent inside the firewall while continuing to scan the public-facing application using the main cloud-based scanner.
For more deployment scenarios, please see our white paper Flexible Deployment Options with Invicti Scan Agents. For technical information and FAQs related to the internal agents available in Invicti, see our support page on internal agents.