New research shows how Invicti’s Proof-Based Scanning cuts through uncertainty

Automatic application security testing used to be synonymous with uncertain results that always needed manual verification, but modern vulnerability scanners have put a definite end to that era. This post presents highlights from an Invicti white paper on the challenges of noise and uncertainty in dynamic application security testing – and Invicti’s proven approach to extracting reliable data from scan results.

New research shows how Invicti’s Proof-Based Scanning cuts through uncertainty

When noise obscures vulnerabilities

On the face of it, writing some scripts to automate manual vulnerability tests seems relatively straightforward and is a routine part of penetration testing. The big challenge comes when you try to make an automated test work reliably across a wide variety of applications and environments. Without great care backed by years of experience, any inaccuracies and uncertainties are amplified across each phase of vulnerability scanning until the user is flooded with unreliable results.

Alert overload is a major burden for professionals in all areas of cybersecurity. Dealing with all the real issues is already a challenge in itself – and that’s without having to wade through endless false alarms to pick out the reports that really matter. To cut down on the noise, Invicti optimizes each stage of scanning even before running the first vulnerability check. The scanner then safely executes finely-tuned test attacks and uses its embedded browser engine to simulate realistic user interactions for maximum accuracy. And best of all, over 94% of direct-impact vulnerabilities are confirmed automatically with no risk of error. This is Proof-Based Scanning in action.

Proven accuracy built on years of expertise

The idea behind Proof-Based Scanning is deceptively simple: if you can automatically exploit a vulnerability, then it is definitely real and not a false positive. However, implementing this basic principle in an enterprise-grade tool while ensuring safe and consistent performance requires years of painstaking security research and application development. Invicti has been perfecting and expanding its vulnerability scanning engine for over a decade to deliver automatic confirmation of vulnerabilities with over 99.98% accuracy. In other words, when Invicti marks a vulnerability as confirmed, the risk of it being  false positive is less than 2 in 10,000.

The specific type of confirmation and proof provided by Invicti depends on the type of vulnerability. For many injection vulnerabilities, including SQL injection, Invicti can safely execute an injected payload and extract sample data as a proof of exploit. For client-side vulnerabilities such as cross-site scripting (XSS), the built-in browser engine is used to execute test payloads and verify whether an exploit was successful. Again, fine-tuned attack patterns accumulated and repeatedly tested over many years of development are used to ensure accuracy.

Certainty makes all the difference

The bad reputation of early vulnerability scanners lives on in the minds of AppSec professionals. Many organizations still treat scan results as unreliable by default and double-check them manually, making it all but impossible to efficiently automate and scale application security testing. When any result could potentially be a false positive, you need to check everything before you can be certain.

Working with a vulnerability scanner that actually delivers accurate and reliable results turns the traditional approach to application security on its head. Proof-Based Scanning allows Invicti to show and prove which results are real and exploitable vulnerabilities that your developers can start fixing right now with no manual verification. With out-of-the-box issue tracker integration, Invicti will even create the tickets. Scan, report, assign, fix. And no noise, only measurable security improvements.

Eliminating uncertainty makes all the difference in security testing. To see how this is done in Invicti and learn the inner workings of Proof-Based Scanning, get the full Invicti technical white paper How Invicti Generates Proof to Avoid False Positives.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.