This quick start guide aims to get you oriented with Invicti Enterprise. For this scenario, you will scan one of the test websites of Invicti. Scanning a test website can give you an idea about the capabilities of Invicti Enterprise.
Here are some of the things you will learn how to:
- Add a target website to your Invicti Enterprise account
- Customize scan settings for your website
- Review scan results
- Integrate Invicti Enterprise with an issue tracking system
- Create a scan report
Prerequisites for the Invicti Enterprise On-Premises
This guide is applicable to the Invicti Enterprise On-Demand edition.
This guide is also applicable to the On-Premises edition only if you install a scanner agent and an authentication verifier agent and configure your email settings. These are required to scan your web application, verify any login forms, and receive any report following any scans.
Step 1: Adding a target website
Before scanning, you have to add a website to your Invicti Enterprise account. To do this, from the main menu, select Websites > New Website. Then, you can enter the necessary information, such as name, URL, and technical contact, and select Save. For further information, see Adding a Website in Invicti Enterprise.
For the Agent Mode, you can select the Cloud when the website is not in your internal network and is accessible publicly from the internet. If you want to scan a website in your internal network, you can select the Internal mode and install an agent. Using the On-Premises edition? See Installing the Invicti Enterprise Agent.
Step 2: Launching a scan
Now that you’ve added your website for the security scanning, you can go ahead and launch a scan. To do this, from the main menu, select Scans > New Scan. Invicti lets you start scanning with the default settings.
Using default settings
It provides many default configurations including Default Scan Policy with built-in Security Checks, Report Policy, Maximum Scan Duration, Scan Scope, Heuristic URL Rewrite Mode, and Notifications. This makes it easy to get started quickly. To understand the scan settings in-depth, see Creating a New Scan.
You may wish to go ahead with the default settings. After selecting the target website, you need to select Launch. Right after, Invicti will begin scanning the website.
You can monitor the progress in real-time. Also, Invicti will start reporting vulnerabilities as soon as it identifies them.
Using customized settings
What if you need to configure the scan settings and authentication? You may have a website that requires fine-tuning the scan settings. To meet such needs, Invicti has extensive customization options suitable for your website. The following scenario will showcase some of these extensive customization options.
- For this scenario, you need to enter authentication information so that Invicti can crawl and attack password-protected web pages. To do so, select Form > Form Authentication. As the PHP test website has a straightforward login page, it is easy to configure.
- Once you enter the login credentials, select Verify Login & Logout to make sure that Invicti can crawl and attack these web pages. If your own website has a different configuration for authentication, see Overview of Authentication.
- Next, you may wish to configure the Scan Scope. It lets you define what part of the website can be scanned. You can instruct Invicti Enterprise to scan only the entered URL. That means only the supplied URL and the parameters on its page will be scanned.
- Further, you can exclude a certain part of the website from the security scanning. You can do this thanks to the regular expression (RegEx). If you wish, you can also exclude the authentication web pages from the scan. When you select the Exclude Authentication Pages checkbox, Invicti will exclude authentication-related web pages – such as login and logout – from the scan scope to prevent logging out during the scan. For further information, see Scan Scope.
- Now, you may wish to configure the scan time window. As the PHP test website is in the production environment and is accessible to visitors, you may not want to cause any disruptions. So, you can instruct Invicti to perform scanning within non-business hours. For further information, see Scanning Production Environments.
- In addition to these customizations, you may add links to have a head start in scanning and configure notifications. To understand each setting and how to configure it, see Invicti Enterprise Scan Options Fields.
Remember that scan duration may vary depending on the size of the web application and the variety of security checks enabled in the Scan Policy you’ve selected.
Step 3: Reviewing scan results
When Invicti completes the security scanning, it notifies you with an email. In this scenario, the scanner warns you that the PHP test website is very insecure and requires immediate attention.
- Now, select View the Report Online to see the scan summary. This page lists vulnerabilities grouped by severity levels. For further information, you can review the technical report to see whether the vulnerability identified by Invicti is confirmed. Once you understand this vulnerability is confirmed, you can start working on the issue.
- You may wish to select Update to assign this vulnerability to developers. Invicti notifies them so that they can start working on this vulnerability. Or, you can select the Accepted Risk button and prefer not to work on it.
- When you want to review the progress, you can select Issues > All Issues. This page provides you a quick overview of vulnerabilities. For example, Invicti shows that the Blind SQL Injection is Fixed (Unconfirmed).
- This means remediation action has been taken on this issue, and the issue is updated as Fixed. Now, select Issues > Waiting for Retest. Invicti notifies you that it is about to scan to confirm the remediation, and when the scan is completed, you’ll be notified.
- If the issue is fixed, the issue's state will be automatically changed to Fixed (Confirmed); otherwise, Invicti will change its status back to Present again and will assign it to the user who marked the issue previously as Fixed.
Want to create a team in Invicti Enterprise? See Managing Team Members in Invicti Enterprise.
Step 4: Integrating with issue tracking tool
To handle issues easily, you may wish to integrate Invicti Enterprise with an issue tracking system. Invicti integrates with a wide range of software and tools that you can integrate into your existing SDLC processes, including vulnerability management systems, issue tracking systems, continuous integration systems, and web application firewalls. These tools help you to streamline the bug-fixing processes.
For further information about integrations, you can see Integrations.
- Let's say you set up an integration with Jira. So, you want Invicti to report critical issues to Jira once the scan is completed. Then, you can assign issue(s) to developers directly from Jira. To do so, you can select Notifications > New Notification.
- Then, you can configure bi-directional integration with Jira, so, when a developer fixes an issue and sends a merge request, Invicti tests the fix to make sure that the issue is really fixed or not. If Invicti still identifies an issue, it re-assigns the issue to the same developer. To configure this, you can select Integrations > New User Mapping. Then, select the Jira tab and complete the integration.
You can view this infographic to see how Invicti works and which tools it integrates with.
Step 5: Creating a scan report
Suppose you’ve scanned php.testsparker.com and assigned the issues to developers. While they have been working on these issues, your managers may want to view the progress. So, you need to submit a report to them so that they can glance through the report and understand your progress.
To generate an executive summary, from the Recent Scans window, you can select Report from the relevant scan. Then, select Export.
From the Report drop-down, you can select the Executive Summary. From the Format drop-down, select PDF. Then, select Export.
What if developers want to view the progress on the website? Then, you can select the Detailed Scan Report from the Report drop-down and Export. For more information about different types of reports, see Reports.
This quick start guide aims to get you oriented with Invicti Enterprise. Need more information about how to use Invicti Enterprise? Visit https://www.invicti.com/support. Still have questions? Contact email@example.com.