Ferruh Mavituna, Founder and CEO of Netsparker, was interviewed by Paul Asadoorian for Enterprise Security Weekly #98. They talked about the differences between penetration testing versus automatic, dynamic scanning, how to balance both approaches and why there is a need to automate web application security in enterprises. During the show, Ferruh explained:
- Security is not something you can tack on at the end. The web development landscape has changed since the traditional Waterfall approach, where pen testing was scheduled around two months before release. Agile enterprises deploy code to live environments multiple times a day. Netsparker has automated as much of the SDLC as possible, since this new approach does not operate in discrete 'stages' of development.
- Addressing vulnerabilities at the earliest possible point in an Agile SDLC enables developers to learn as they discover, then fix, vulnerabilities, reducing the chance of similar vulnerabilities being repeatedly introduced. Paul added that this also avoids the twin Waterfall problems of a developer not having looked at code for months, and the many dependencies, all of which would also need to be unravelled. And, it's cheaper too!
- Paul then switched the conversation to black box testing, asking if Netsparker was continuing on that path, in Agile and DevOps contexts. Ferruh replied that static integration is becoming popular, where the system suggests that a developer could be introducing a vulnerability as they write the code. But, he highlighted one huge disadvantage – it produces lengthy reports, containing many false positives, that are simply ignored.
- In contrast, they discussed the extremely accurate results of dynamic testing. Ferruh said that Netsparker’s unique technology safely exploits vulnerabilities and supplies a proof of exploit for each one, meaning only confirmed vulnerabilities are flagged to developers as issues. Ferruh stated it was an issue of trust, really. Developers can trust that vulnerabilities detected by Netsparker are real, and must be addressed.
- Paul then asked whether Ferruh had observed teams adding information into their dynamic scanner that would help it become, not only more accurate, but more comprehensive. Ferruh confirmed that developers are very good at contributing this information (for example, importing a wsdl or swagger file), the same information they would give to a penetration tester, which helps improve the work of the dynamic scanner.
- They then discussed how some external, public-facing applications can additionally benefit from crowd-sourced pen testing, and even bug bounties. But they concluded that the time and hassle of running a bug bounty program with financial incentives, all of whose discoveries need to be compensated, collated and investigated, could be counter-productive (and discovered anyway by dynamic scanners).
- Finally, they discussed how dynamic scanners, such as the Netsparker web application security scanner, help enterprises create a security workflow, one that included a facility that assigns vulnerabilities to developers, tracks the progress of the fixes, and retests or reassigns them. Security testing is integrated into the SDLC, in both development and live environments, which matters more the more websites you manage.