This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
Ferruh Mavituna, Founder and CEO of Netsparker, was interviewed by Paul Asadoorian and Dr Doug White during the Enterprise Security Weekly podcast show #81. During the interview, Ferruh talked about:
- The current focus for Netsparker - scanning at scale. Netsparker Enterprise is helping enterprises with thousands of web applications to find vulnerabilities automatically and then begin to take remediation action without delay. Large organizations still suffer data breaches and web application vulnerabilities remain the most common source.
- He then highlighted the need for product honesty in the web application security industry, as the problem of false positives and poor accuracy can lead to a loss of trust by some organization leaders. Scanners that, unlike Netsparker, don't tackle the problem of false positives, can discredit the process and create problems with technology teams when dealing with management.
- There was a discussion about the relationship between dynamic analysis tools like Netsparker and static analysis ones. Ferruh's view was that the integration of these tools was good to pinpoint vulnerabilities, and suggested the possible use of dynamic tools to validate the findings of the static ones.
- On the question of performance, he emphasised that once a company moves from Netsparker Desktop to Netsparker Enterprise, scalability is no longer an issue, since many hundreds and thousands of websites can be scanned at once. Inaccurate scanners that generate large numbers of false positives and false alarms are an impediment to working at scale in any organization, especially one with multiple security problems and priorities to weigh up. What is vital for such organisations is vulnerability management end to end: detection, proof of exploit, details including threat levels and remediation advice.
- It turns out that the biggest challenge to IoT devices is that their code is often written by non-web developers, and therefore don't use the typical queries, language, servers or observe the expected coding standards. However, Netsparker could still find and validate many of their vulnerabilities.
- Ferruh confirmed that Netsparker will be exhibiting at the RSA Conference 2018 in San Francisco. He extended an invitation to any businesses interested in web application security challenges, including scalability, to come and talk to him there.