More Than Scanning: Integrating Web Application Security

Ensuring security is not a one-off effort but a continuous process that needs to be integrated into the software development and testing workflows. Invicti tightly integrates with existing tools and processes for maximum effectiveness and automation. This article shows how Invicti fits into each stage of a secure application development process.

More Than Scanning: Integrating Web Application Security

Scanning accuracy is a fundamental requirement for any serious web application security solution, yet it is only a small part of the bigger picture. Ensuring security is not a one-off effort but a continuous process that needs to be tightly integrated into the software development and testing workflows. Using Invicti as an example, let’s see where scanning fits into the wider web security picture and why integration is so important.

Define and Discover Your Web Assets

Knowing what you have and what you need to secure is a prerequisite of any security process. For Invicti, there are 3 main sources of asset information: discovery, crawling, and imported definition files. Asset discovery is run automatically based on starting URLs, domain names, certificates, and other information provided by the user. As the discovered websites and applications are later crawled during scanning, more assets are detected (based on links, DOM data, and script calls, for example) and added to the pool.

For complex applications and APIs (application programming interfaces), Invicti supports a vast array of definition formats that you can import to indicate what URLs need to be crawled and tested, including SOAP and REST API definitions. Assets can also be added manually to ensure maximum coverage of the application environment.

Scan for Vulnerabilities

Next comes the actual application security testing in the form of vulnerability scanning. At this stage, scan accuracy and coverage are vital to providing useful and actionable vulnerability information downstream. Less advanced scanners have a hard time dealing with ever more complex and dynamic websites, such as single-page applications (SPAs) where most of the page is generated by JavaScript. Authentication has also been a stumbling block for automated testing, with lower quality tools often skipping entire site sections that are only accessible after login.

Invicti leads the industry in both accuracy and coverage, providing extensive authentication support right out of the box and handling even the most complex dynamic applications. Built on over a decade of expertise and relentless improvement, the scanning engine accurately detects a wide variety of issues. Crucially, Invicti tests for vulnerabilities by safely conducting simulated attacks with realistic payloads and providing proof for attacks that do succeed. This proprietary Proof-Based Scanning technology makes it possible to send out automated notifications about verified vulnerabilities without worrying that they might be false alarms.

In the simplest scenario, for example on first use, you can launch a scan manually to test all assets discovered and defined in the previous step. For regular scanning, you can integrate with automation platforms and CI/CD pipelines to launch automated tests at specified stages of development and testing. However, getting a list of vulnerabilities is just the beginning and there is a long way to go before they are eliminated.

Verify and Triage Vulnerabilities

In traditional web security workflows, the security team was responsible for manually coordinating every single security issue, from verification and classification to assignment and retesting. For smaller environments, this may have been workable, if tedious. In a large organization with hundreds of websites and applications, this could mean thousands of issues for a small security team to sift through – and if each of them could potentially be a false positive, there is no way to automate the process.

With Proof-Based Scanning™ and automation, Invicti completely changes the game by clearly separating exploitable, proven vulnerabilities from results that require further analysis by a security expert. Issues are also automatically triaged so you can immediately see which vulnerabilities are critical and need immediate attention. For high-priority confirmed issues, you can then automatically assign tickets to developers to bypass manual processing by the security team and get issues fixed as soon as possible.

Assign Fix Tasks to Developers

Issue assignment is another potential bottleneck, especially in large organizations where each additional manual task is multiplied by hundreds of issues. Creating a ticket is not just a matter of clicking a button – to fix a vulnerability, you need to get all the necessary information to the right developer or team lead, which can require a lot of input from the security engineers.

Invicti integrates with dozens of third-party products, including the most popular issue trackers, making it easy to automatically assign issues and send notifications. Each vulnerability report contains detailed information about the issue, its consequences, and recommended remedies, so developers can get to work immediately. For automatically verified vulnerabilities, the report also includes proof that the issue can be exploited by attackers, saving the security team the effort of convincing developers that a bug really exists.

After a vulnerability is fixed, the fix must be tested to ensure that the original issue is gone and no new vulnerabilities were introduced. Normally, this would be another manual task for the security team, but with Invicti’s SDLC integration capabilities, fixes can be automatically rescanned as soon as they are submitted. If the test fails, the issue is automatically sent back to the developer, again saving a lot of time and effort.

Apply Web Application Firewall Rules

Fixing bugs takes time and if you have a critical security issue, the application remains wide open to attack until the vulnerability is fixed. To temporarily protect applications until a fix is deployed, organizations use web application firewalls (WAFs) to block attack attempts. Because a misconfigured WAF can block legitimate traffic, WAF rules are usually defined and added manually, which again takes precious time.

To simplify and speed up this process, Invicti integrates with several popular web application firewalls. Depending on the product, you can export WAF rules from a vulnerability report and import them into the WAF or even automatically apply WAF protection as soon as a vulnerability is confirmed with Proof-Based Scanning™. This can greatly improve application security because even zero-days are blocked as soon as they are discovered, even before the developers start working on a fix.

Report Results and Analyze Trends

To improve security in the long run, you need to be proactive and go beyond fixing vulnerabilities as they are found. An effective web application security program should define and enforce security policies, best practices, compliance requirements, service levels, and other aspects of security management. To do this, you need centralized visibility and flexible reporting and compliance tools.

Invicti provides clear dashboards and detailed scan reports to give you visibility into your current security status and help you make informed decisions and identify trends. Apart from extracting a wealth of data from a specific scan, reports can also be used to monitor compliance, for example to ensure that none of the common vulnerability types listed in the OWASP Top 10 are present. You can even use the PCI compliance reporting feature to get official PCI certification with a single click.

Stay in Control

To talk about a process, you need integration – otherwise you only have isolated tasks. In the past, this was how web application security worked, with security specialists and developers using manual tools to resolve vulnerabilities and coordinate work. Vulnerability scanners have made it easier and faster to find vulnerabilities, but without the right integrated workflows, you can end up with hundreds more issues than your teams can handle.

An effective application security process must be built into the software development lifecycle and provide the means to automate as many manual tasks as possible. Invicti comes with a wide variety of integrations to help you embed vulnerability scanning and management into your existing security and development workflows. And because vulnerability reports confirmed with Proof-Based Scanning™ are definitely not false positives, you can automatically feed them into issue trackers, notifications, and WAF rules to maximize security and efficiency.

To show how Invicti handles integration across the entire web application security process, we’ve prepared an infographic that highlights workflows and available integrations (click to enlarge or view as PDF):

Netsparker workflow integration

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.