This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
ITSP magazine’s John Dasher enjoyed a dialogue with Ferruh Mavituna of Netsparker during the RSA Conference 2018 in San Francisco. They discussed how Netsparker is accelerating their enterprise web application scanner’s ability to find and report vulnerabilities across thousands of websites, by automatically confirming that they are not false positives. After chatting about his background and early adventures in Netsparker, Ferruh got down to business.
- Solving the false positive problem is still fundamental to Netsparker’s vision and success. Ferruh refused, in the early days, to “learn to live with it”. Now, when Netsparker finds an issue, it can prove that the vulnerability exists by safely exploiting it and then reporting it. You can immediately see that the issue is real and what level of risk it poses.
- Netsparker Enterprise can be used as an on-premises or on-demand, multi-user web application solution that integrates with your SDLC and DevOps environments. This means that the security of web applications is taken care of from the staging process right through into production. As Ferruh put it, Netsparker can hook up everything together in the SDLC process, creating a more perfect workflow.
- Thanks to Netsparker, large organisations have a much lower security cost path than before. The earlier you can find vulnerabilities in the SDLC, the cheaper they are to address. Ferruh said there was research to show that it was up to forty times cheaper! Part of this has to do with Netsparker’s ability to detect vulnerabilities quickly and to scan multiple sites at once. A developer can now see issues within forty-five minutes of writing the code, rather than months.
- Ferruh made some fascinating points about Netsparker’s ability to greatly increase the visibility of the security process for the entire team. As a manager, you can see the state of your process, and who is accountable for each part. Managers aren’t reliant on the word of developers for a report about which website is weak, and how long it will take to address.