This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
Ferruh Mavituna, Netsparker founder and CEO, was interviewed in May 2019 by Paul Asadorian and Jason Albuquerque for Business Security Weekly #129. They discussed the Application Service Discovery feature of scanners, how to handle in-house written applications vs. those that are acquired, the prioritization and planning of the applications you have, and how companies should focus their common practice on the top 20% of critical applications.
- Ferruh insisted on the need for a multi-layered approach to asset discovery within an organization and environment. First, there are the hosts and servers. Then, there is the number of applications per host. Finally, one application might have multiple components, on both the client side and the server side. Companies first need to catalog them all, then stay on top of their web application security.
- During the discovery process, companies find not only unused apps but ones they should remove. But they’re reluctant to do so because this might “break stuff”. Ferruh explained that a secure SDLC is the solution to this. Once a team knows what assets need protection, they can then categorise them: the most mission critical would include actively developed applications, then legacy applications, and finally, third party applications but used in the organisation.
- In a fascinating development, Ferruh said that web security teams are now using Netsparker to test applications for vulnerabilities before they purchase off-the-shelf software from vendors! Netsparker is used as a benchmark and basis from which such companies accept applications – and the risks that go with them – into their own IT environments. Netsparker scan results have become a significant factor in how companies choose between software options. And, how these vendors respond to reported vulnerabilities is a solid indicator to potential purchasers of the future support they can expect.
- Teams can underestimate or overplay the severity of a vulnerability, once discovered. It’s hard to keep track of real results in a big organization. Netsparker provides visibility and accountability, explained Ferruh, giving CSOs an overview of the real state of vulnerabilities, as well as their severity levels, and who is responsible for fixing them.
- Finally, Ferruh shared Netsparker’s rule of thumb: automate what can be automated. Security teams shouldn’t have to deal with issues like communicating between and within departments, or spend hours on other simple tasks. Automation helps remove this noise. Teams can then focus on what matters – systematically improving everything that requires more human attention such as fixing detected vulnerabilities and attending to other issues.
Watch Ferruh’s interview on Discovering Applications, Netsparker – Business Security Weekly #129, and take a look at the relevant Show Notes.
For further information about Netsparker’s Discovery feature, read Web Application Asset Discovery Matters to get an explanation and a demo, or Application & Service Discovery Service in Netsparker support.