Support
Deploy Invicti Shark

Analyzing software composition with Invicti Shark (IAST)

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

You can use Invicti Shark (IAST) to run software composition analysis (SCA). It analyzes your web application’s software composition and lists all components.

  • More and more web applications rely on third-party components, so your web application’s security also depends on the security of these components.
  • It takes a lot of time and effort, however, to manually track whether these components have vulnerabilities and any update to address these issues.

Invicti can detect technologies used in your web application. It tracks and reports on problems, such as whether any of the technologies are out-of-date or whether a specific version has any issues.

  • The technology feature relies on the HTTP headers/responses while Invicti  Shark (IAST) works inside of your application, so it can identify all of your technology stack.
  • It can also detect whether these components are secure by using a vulnerability database.

This topic explains how to analyze software composition with Invicti Shark (IAST).

Analyzing software composition with Invicti Shark (IAST)

Prerequisites

If you already have installed the Shark (IAST) on your environment, it is highly recommended you re-download your Shark files and redeploy them in order to use the SCA capabilities.

Analyzing software composition with Invicti Shark (IAST) in Invicti Enterprise

  1. Configure a scan policy for Software Composition Analysis (SCA)
  2. Scan your application with the scan policy created in the 1st step
  3. Review the scan result

Step 1. Configuring a scan policy for SCA

How to configure a scan policy for SCA
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies > New Scan Policy.
  3. From the New Scan Policy page, enter a name and a description for your new scan policy.
  4. From the Security Checks section, select Software Composition Analysis.
  1. Select Save.

Step 2. Scanning your application with the custom scan policy

After you create a custom scan policy that includes the Software Composition Analysis check, you can now launch a scan to detect whether your technology stack has any vulnerability.

How to scan your application with the custom scan policy
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.

Before scanning your website in Invicti Enterprise, make sure you have added a website (Adding a website in Invicti Enterprise).

  1. In the Target URL field, enter the URL.
  2. From the Scan Policy, select your custom policy created in the 1st Step.

Make sure you select Shark (IAST) and deploy the related Shark sensors. For further information, see Downloading Shark Sensors in Invicti Enterprise.

  1. Select Launch to scan.
How to run group scan with the custom scan policy
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Group Scan.
  3. From the New Website Group Scan page, select Website Group from the drop-down menu.
  1. From the Scan Policy drop-down, select your custom scan policy created in the 1st Step.
  2. Select Launch to scan.

Step 3. Reviewing scan result

When you launch the scan, Invicti Enterprise crawls and attacks your web application to identify vulnerabilities.

Once Invicti completes the scanning, the application sends an email containing the link to the report. If you did not configure an email notification, you can log in to Invicti Enterprise and check your report. Or, you can check the Technology dashboard to view all vulnerable components identified.

How to access your scan report
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > Recent Scans.
  3. Next to the relevant scan, select Report.
  4. On the Scan Summary page, scroll down to the Technical Report section to view your scan report.

From the Technical Report, you can also select the Knowledge Base tab, then Software Composition Analysis (SCA) in order to view all your vulnerable components identified in that security scan. For further information, see Software Composition Analysis (SCA) Node.

In addition to these, you can visit the Technology Dashboard to see vulnerable components identified in all scans.

How to view vulnerable components on the Technology Dashboard

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Technologies > Dashboard.

For further information, see Technologies.

Analyzing software composition with Invicti Shark (IAST) in Invicti Standard

How to analyze software composition with Invicti Shark (IAST)
  1. Open Invicti Standard
  2. In the Home tab, select New.
  3. In the Target Website or Web Service URL field, enter the URL of the website you want to scan.
  4. Configure the Scan Policy, Invicti Standard Scan Options Fields, and Authentication as required.

Make sure to select Software Composition Analysis from the Security Checks.

  1. Select Start Scan.

When Invicti scans your web application, it lists all identified vulnerabilities in your web application on the Issues panel.

From this panel, you can reach all vulnerable third-party components identified by Invicti Shark (IAST). You can see the vulnerability details, its impact, remedy, and related information when you select any vulnerability from the Issues panel.

In addition to the Issues panel, you can see the list of all third-party components in the Knowledge Base panel.

Invicti highlights all out-of-date and vulnerable components in red. It provides the package name, its version, and its vulnerabilities.