A landmark year for Invicti Security
Before we get into the year’s industry and product news, 2021 has been a huge year for us at Netsparker, the home of Netsparker. Back in April, we unveiled a new Netsparker brand identity to unify the visual language used across all Netsparker products and resources. Then came recognition from Gartner as Netsparker was included in the 2021 Magic Quadrant for application security testing. Finally, in October, we were proud to announce a huge growth investment by Summit Partners that will propel Netsparker into a massive 2022.
On that note, we want to thank all our employees, customers, partners, distributors, investors, and well-wishers for helping Netsparker and Netsparker go from strength to strength in another year of global challenges.
Cybersecurity in the global limelight
2021 in cybersecurity started with the fallout of the SolarWinds hack, followed by high-profile attacks such as the MS Exchange hack in March and the ransomware attack that crippled Colonial Pipeline in May. The Biden administration reacted by announcing measures to strengthen and unify cybersecurity across federal government, issuing first an executive order on cybersecurity and then a series of CISA operational directives implementing that order.
The theme of supply chain security and omnipresent threats that the world’s organizations are only just beginning to fully comprehend was clear as we participated in Black Hat 2021. Speakers and industry experts were in agreement that the biggest danger to security was likely to be attacks on unknown or overlooked assets and dependencies, from abandoned websites to third-party software components.
Updates to AppSec industry yardsticks
In 2021, we also covered a rare phenomenon: a new OWASP Top 10 list. A far cry from the simple list of web application vulnerabilities of early editions, the OWASP Top 10 for 2021 takes a more strategic view. We also took a closer look at the revamped categories that now focus less on specific security weaknesses and more on high-level considerations.
Now working to a more regular update schedule, the SANS/CWE Top 25 list of most dangerous software errors also saw a new edition. Our analysis identified a few common themes, most notably that implicitly trusting user-supplied or user-controlled data is always a bad idea – hold on to that thought until the end of this post.
Major product updates for Invicti’s Netsparker
With Netsparker product teams and security researchers working tirelessly, Netsparker development saw several milestones. Perhaps most importantly, Netsparker now has an IAST capability. This gives users the option of installing a local agent in the test environment to examine security check execution and provide an extra level of detail during vulnerability scanning. IAST agents are currently available for PHP, .NET, Java, and Node.js.
Invicti’s API vulnerability testing functionality also saw a major update, with GraphQL support added to round out existing REST and SOAP API testing capabilities. And, as usual, there were many less spectacular but equally important additions, such as feature updates, new integrations, performance improvements, and new security checks.
Research shows that integrated AppSec is the way
Shifting left and building DevSecOps continued to be dominant themes in the industry, but we at Netsparker decided to dig deeper and find solid numbers to support the marketing claims. Starting with an in-depth analysis of over 6 years of real-life vulnerability data, we found that Invicti’s Proof-Based Scanning technology exceeded even our own expectations, delivering automatic confirmations with 99.98% accuracy. This allows organizations to save thousands of hours (and hundreds of thousands of dollars) every year through confident security testing automation.
In October, we published the results of our industry survey. The Netsparker Fall 2021 AppSec Indicator brought some eye-opening numbers, most notably that up to 70% of development teams skip at least some security steps under pressure to release on schedule. This puts innovation and growth at odds with security, so tightly integrating the application security program into development is the only realistic way to continuously innovate without putting the organization at risk.
This just in: 2022 could be the year of one-click RCE
As this post was being drafted, news dropped of possibly the worst vulnerability ever: unauthenticated remote code execution (RCE) in the Log4j library (CVE-2021-44228), a.k.a. the Log4Shell vulnerability. Unlike last year’s SolarWinds scare, this is a truly global danger, as the vulnerable library is used in hundreds of thousands of Java applications worldwide, including enterprise software. So as predicted at Black Hat, we have a global vulnerability in a third-party component – and its root cause is, yes, executing unsanitized user-controlled data.
Thanks to the incredible work of Netsparker developers and security researchers who managed to create and implement new security checks in a matter of days, all Netsparker products can now detect the Log4Shell vulnerability in web applications.
Beyond the current global rush to patch Log4Shell and subsequent Log4j vulnerabilities, the crisis could mark a new chapter in application security. For the first time ever, attackers have a widespread and easy-to-use RCE vulnerability that can affect thousands of valuable systems. They can extract sensitive data, install malware, pivot to other systems, attack third parties from compromised servers… Considering how long vulnerable software can remain unpatched, it looks like 2022 could be a year of major breaches.
So patch your Log4j and brace for impact. Happy 2022.