May 2018 Netsparker Update – New plans, UI & Single Sign-on Support

May 2018 Netsparker update – New Netsparker Team and Enterprise plans, new UI for Netsparker Desktop, Single Sign-On support and Smart card support in authenticated scans are just a few of the new features and updates we have included in this release. Read these release notes for more information.

Last year we released an Netsparker update on an almost monthly basis. This year we’ve been a little quieter, but we have not been sitting still. We have been working on a major update that we're delighted to be able to announce today – the new Netsparker Team and Enterprise plans!

This May 2018 update is not just about the new plans – that’s just the highlight. Read this post for an overview of all is new, improved and fixed in this major update of the Netsparker Web Application Security Scanner.

The All New Netsparker Standard, Team & Enterprise Plans

There will no longer be a distinction between Netsparker Desktop and Netsparker Enterprise in licensing or pricing. We have integrated the two editions in our new plans. Now, when you purchase the Netsparker Team or Enterprise plan, you will have access to both the on-premises Windows software (Netsparker Desktop) and the hosted or on-premises edition of Netsparker Enterprise.

To complement these plans, we have added new functionality in both editions that enables you to connect them, and then easily share scanning and vulnerability data between them. We have explained the advantages of these new plans over individual licenses, and the integration functionality in our Integration Announcement.

This same approach is being applied to all of the editions’ scanning capabilities and coverage. Since both Netsparker Enterprise and Desktop solutions use the Proof-Based ScanningTM technology, new scanning engine updates, security checks and coverage updates will be implemented in both editions of the Netsparker web application security scanner.

Support for Single Sign-On

We have always encouraged our users – especially those who integrate Netsparker Enterprise in their SDLC, DevOps and other environments – to involve their entire team in the process of identifying, triaging and fixing vulnerabilities.

Now, including the team in all processes is much easier with the introduction of Single Sign-On support. Anyone who needs to access scan and vulnerability data on the Netsparker dashboard can easily do so securely, without the need to login. For a full explanation, see Netsparker and Single Sign-on support.

Netsparker Cloud Single Sign-On Support

Off-the-Shelf Web Applications and JavaScript Libraries – Coverage & Vulnerability Detection Improved Five-Fold

Developers use many off-the-shelf web applications, frameworks and third-party components in their custom web applications. And, why not? Why reinvent the wheel when someone else has already done it for you?

The problem, as with every other type of software, is that these off-the-shelf components need to be kept up to date to address any security issues they might have. Netsparker has provided a solution. We have an extensive database that also contains security checks for third party, off-the-shelf web applications and frameworks, ensuring they are also scanned for vulnerabilities. In this release, Netsparker’s coverage of off-the-shelf web applications and JavaScript frameworks has been improved five-fold. We've added more web applications to the list along with new security checks for web applications that were already in our database.

New User Interface & Visual Features

This latest Netsparker update has an awesome new UI and visual features.

A New Skin for Netsparker Desktop

Once you launch Netsparker, you’ll immediately notice the new skin of the on-premises scanner: new colours, sharper icons and fonts and better support for high-DPI monitors.

 A New Skin for Netsparker Desktop

The Ribbon

We have also replaced the top drop-down menus with a new ribbon to make the features more accessible to you, a concept you'll already be familiar with from Microsoft Office.

The Ribbon

Dockable Panels

Multi-display lovers will undoubtedly enjoy this feature. All panels in Netsparker Desktop, such as the sitemap, scan progress and vulnerability details panels, can now be undocked. This enables you to easily customise your own a SpaceX-style dashboard, as illustrated.

Dockable Panels

New Security Checks & Improved Coverage

To ensure that our scanner continues to fulfil its reputation as the scanner that detects most vulnerabilities, we have added a number of new security checks in this update and have improved countless numbers of existing security checks. Here are the highlights:

  • Server-Side Template Injection security checks (Malicious users can exploit this type of server-side flaw by managing to do unauthorized changes to a website template, possibly adding own malicious code, so when the template is parsed by the web application the attacker can read sensitive data and in some cases it can even lead to remote code execution.)
  • Expect-CT HTTP header security check (Netsparker checks that the Expect-CT HTTP header is properly implemented. The Expect-CT (certificate transparency) HTTP header is used by websites to report and even enforce the Certificate Transparency requirements, which are basically used to request a browser to check that the website's certificate is valid (i.e. is listed in the public CT logs). Refer to the Certificate Transparency official website for more information).
  • Improved the Anti-CSRF token support to also support tokens in HTTP headers and HTML meta tags.

Other Notable Highlights in this May 2018 Netsparker Update

  • Smart Card authentication support (support for PKCS#11 certificates on smart cards on authenticated scans)
  • Improved support for Swagger, YAML, React and similar web technologies
  • An new OWASP Top 10 2017 compliance report template
  • Support for multiple sitemaps in robots.txt
  • And many other updates

For a complete list of what is new, improved and fixed in this update refer to the Netsparker Desktop changelog and the Netsparker Enterprise changelog.

About the Author

Ferruh Mavituna - Founder, Strategic Advisor

Ferruh Mavituna is the founder and CEO of Invicti Security, a world leader in web application vulnerability scanning. His professional obsessions lie in web application security research, automated vulnerability detection, and exploitation features. He has authored several web security research papers and tools and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti’s award-winning products, Netsparker and Acunetix.