This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
Many have the impression that security software is difficult to use and should be left to only the highly trained experts. If you do a quick review of most of the automated web application security scanners available on the market today you will notice that many have an abundance of options and settings to ensure it can be used in every type of edge case and scenario.
Even though these options might come in handy to 1% of the users, they are confusing the typical user and result in non-use, or incorrect use and spurious results. Many software vendors have had to introduce certification programs for their software, as they know that training is required for users to use their software correctly & efficiently. This results in an increase of overall costs via continuous staff training to keep them qualified just to use a tool that is supposed to improve automation and reduce time & money.
Web application security is a highly emotive subject that can keep many developers and admin staff awake at night, but why make it hard to implement? According to recent reports the current paucity of security on most websites and web applications is not a lack of tools or awareness of security threats, but organizations not using the available tools they have at their disposal. However organizations cannot be blamed if they are not using software that is difficult to use, or professional certification is required to use it. This non-use of security software leads to a waste of resources, false alarms and vulnerable web applications, to say the very least.
Organizations do not need software vendors who try to upsell them products that will require more investment and not give them what they actually need. They need a reliable solution. They need an easy to use web vulnerability scanner that will automatically identify vulnerabilities and security in their web applications. A scanner that their staff can use without any training and get results that they can take action on immediately.
Developing an Easy to Use Web Application Security Scanner
Netsparker is brave & bold company, we thrive on defying the norm. When Netsparker was founded we created quite a stir in the industry with the bold claim of false positive free web security scans. The 'norm' before Netsparker was around was 'It is better to have an extra false positive vulnerability to verify than a false negative!'
Over the years we proved that such a compromise is not necessary and you can have the best of the both worlds. With the built-in exploitation engine of Netsparker you can have results with confirmed web vulnerabilities and findings that are clearly marked as possible issues, thus avoiding all the possible negative impacts false positives have on web application security scans.
And now we are looking forward at defying the norm and raising the bar again in the web application security industry. We are completely focused on developing an even easier to use web application security scanner. By easy to use we do not just mean a very attractive & ergonomic user interface with lots of wizards, we also mean that we should help you automate most practically all of the pre- and post-scan tasks. As the research has clearly pointed out: the easier a security tool is to use, the better the adoption rate is amongst organizations, thus making the web a safer place for everyone.
Benefits of Easy to Use Web Application Security Scanner
Improve Productivity and Reduce Costs of Web Application Security
Clearly, this is the most obvious benefit of all; easy to use software costs much less to run and helps improve productivity. Users do not need to be trained or certified and they do not require extensive amounts of time to try and figure out how the tool works. Another great benefit of having an easy to use web application security scanner is that the scanning tasks can be assigned to someone who's role is less technical and in a lower pay grade than a developer, therefore allowing you to let the developers focus on what they do best; write code and fix any reported security issues.
Let's take a look at a practical example; configuring URL rewrite rules in a web application security scanner. Have you ever tried to configure URL rewrite rules in any other scanner apart from Netsparker Desktop or Netsparker Enterprise? You need to have access to the web server configuration and analyze the configuration. You also need to know how to write regular expressions. Let's face it, even though regular expressions are not rocket science, unless you are developer or use them on a daily basis writing them can be quite a time consuming process, if not frustrating.
In today's fast paced world, the user does not need to know about the in and outs of a website or web application to detect vulnerabilities and security issues in it. Nor do they need to know how to write regular expressions or have access to the web server configuration, which might lead to other security issues. Configuring URL rewrite rules should be simple; specify the URL & the parameters and let the scanner automate the URL rewrite configuration for you, as it is in Netsparker.
But we at Netsparker are not settling for just this. We love a new challenge and we are going a step further. Currently, we are working on a new feature for both Netsparker Desktop and our online web application security scanner Netsparker Enterprise that will automatically detect URL Rewrite rules for crawling and attacking purposes. Therefore there is nothing that the user needs to do. Of course we will still allow the geeky users to configure their own rules should they want to, but we are further simplifying the process without losing any of the product's capabilities.
More Accurate Web Vulnerability Scans and More Secure Websites and Web Applications
Garbage in, garbage out. If you are not familiar with this term, it means that if you feed garbage to a computer it will produce garbage since it operates by logical processes. The same applies to a web application security scanner. If it is difficult to configure, users will not configure it correctly and it will produce incorrect scan results. This means it will fail to scan the website properly, report a lot of false positives and miss genuine vulnerabilities.
Web Application Security Automation Made Easy
Automation and easy to use security software is definitely the way forward if we would like to see more organizations adopt our solutions and develop more secure websites and web applications. As we have clearly shown, there is no need to limit any of the product's capabilities in order to deliver user friendly product. In fact both the desktop and online edition of our automated web application security scanners are fully blown scanners and every automated process can be overridden and configured manually. However, we have found that only the minority need such fully configurable scanners and we are happy to cater for them. Though the generic user base needs easy to use tools. After all they want to scan web applications and identify vulnerabilities and not fly rockets to the moon, unless of course they work for NASA, in which case, Cool!