Web Application Security Scanning Flow
Launching an automated web application security scan is not enough on its own. Maintaining a secure web application is a broader and more challenging process. Thanks to Invicti’s advanced technologies, discovering issues in a web application and fixing them is easier than ever.
Invicti will help you with default options and explanations. But you also need to gather some detailed information about your web applications. This topic will help you prepare, so that you can set the correct options for your Invicti scan.
Knowing Your Web Application
Before launching a scan, it's best to conduct a mental inventory. The answers will help you to optimize your Scan Policies.
Do you know the following about your website Technologies?
- Which programming (or scripting) languages were used to develop the website?
- Is the web application based on a framework or a CMS?
- On which operating system does the application run?
- Are there any databases connected to the application?
- Are you aware of all your online collateral, web applications and services?
- The most vulnerable components of a web application could be the login forms and the input fields (which are reported in the Knowledge Base Tab once a scan has been completed). Have you checked your websites to determine if there are any web forms or input areas? You will need them for setting form authentication or excluding them from the Scan Scope. Excluding components will be very useful in such cases. Invicti carries out a large number of attacks which may negatively affect your web application if the parameters are not set properly. For instance, if there is a mail form on your web application, Invicti will send requests on that form and you may receive many unwanted emails..
For further information, see Before Using Invicti, Application & Service Discovery Service, and Scanning Production Environments.
Preparing and Configuring Scans
After learning which technologies and other elements exist on the web application, next you will start configuring the scan.
Invicti is a very user-friendly, automated web application security scanner. In most cases, it is enough to enter the target URL and start scanning. The scanner will automatically fine-tune itself. However, even though Invicti will discover the issues successfully, it may make extra and unnecessary security checks, keeping the target host needlessly busy, because the scan is not configured precisely. So, you can choose to configure the Scan Settings yourself. Alternatively, you can make use of Invicti Assistant.
The duration of a web application security scan depends on various factors. To keep the duration short, you can optimize a scan by configuring some of the settings. For even more accurate scan results, you should configure the scan further. You can configure the following options:
- Crawling Options
- Scan Scope
- URL Rewrite Rules
- Website Authentication
- Scan Policy
Before scanning your website, the target host must be ready for the test. Ensure that the target host stays online during the scanning process. In addition, you can use the Pause and Stop features. To avoid any service breakdowns, you can use the Scan Time Window to set the time for Invicti to scan the target URL.
For further information, see Overview of Scan Policies and Scan Policy Optimizer.
Scanning Your Web Applications
Think of your web applications as an unsecured back door into your business. Modern web applications let users interact with the host’s network or server. Poor coding and defective hardening policies may negatively affect the web application security. If the web application is not developed with the relevant security standards, it can be manipulated by exploiting vulnerabilities and misconfigurations.
Invicti’s advanced Proof-Based ScanningTM technology makes it easy to identify SQL Injection, Cross-site Scripting (XSS) and thousands of other vulnerabilities in web applications. Invicti also can detect out-of-date web application technologies to help you keep your web application up-to-date.
The VDB (Vulnerability database) is updated every week.
In the Invicti Standard edition, there are also built-in security testing tools such as HTTP Request Builder, ViewState Viewer, and Encoding and Decoding Tools. It also has a report generator that allows the user to export the details of the scan results. Invicti can be easily integrated into your SDLC, DevOps and other environments to help keep your web applications secure.
For further information, see What is Invicti? and Integrating Invicti Enterprise into Your Existing SDLC.
Reviewing and Comparing Scan Results with Previous Scans
If you have a Invicti edition, you probably have already performed a scan of your web application. Previous scans make you aware of the security development process. Please compare the old and new scan results, and review the newly discovered issues.
- Invicti allows you to retest the issues found in a previous scan.
- You can also choose the security test type for specific vulnerabilities.
- Incremental scans help you save time. Instead of scanning the web application, you can just scan the new pages added since the last scan.
You can integrate an issue tracker with Invicti to help you manage and maintain a list of all the issues at each stage of the SDLC (Software Development Life Cycle).
For further information, see Creating a New Scan and Reviewing Scan Results and Imported Vulnerabilities.
Attackers use different methods to hack web applications. Every day brings the potential for a new attack. Scheduling and performing periodic security scans are vital. Each scan may discover new vulnerabilities in your web application. If vulnerabilities are detected, you need to fix them as quickly as possible and then re-test them with Invicti. At this point, Invicti checks whether the issues are properly fixed. If so, they are marked as resolved. This process needs to be conducted continuously so that the security of your web applications is maintained.
For further information, see Updating the Status of an Issue in Invicti Enterprise.
Retesting Fixed Issues
The main objective of a security scan is to detect issues and fix them. Invicti lets you retest the issues to check if they are fixed or not. Instead of starting a full scan, you can retest only the fixed issues.
In Invicti Standard, you can retest a single issue or multiple issues at once. In Invicti Enterprise, you can retest all issues. Invicti Enterprise automatically checks the issue. If it is fixed as intended, the issue will be marked as Fixed. If not, the issue will be assigned back to the Assignee. If you are sure that the issue is a false positive, you can mark it as a False Positive. You can also mark the issue as Accepted Risk if you are aware of its impact. And, finally, you can manually mark an issue as Fixed (Unconfirmed).
For further information, see How to Run a Retest in Invicti Enterprise, and How to Run a Retest in Invicti Standard.
Reporting is the most important step in the web application security scanning process. Invicti can generate reports based on relevant regulations. If you want your web application to be compliant with ISO 27001, generate an ISO 27001 Compliance Report to check for specific vulnerabilities and apply the correct remedies.
Invicti Enterprise On-Demand also has a PCI compliance feature that enables you to automate most of the process and generate approved PCI compliance reports. When a PCI scan is completed, websites that meet the standard will receive an approved compliance report. If the website fails, you can fix the listed vulnerabilities and retest them.
Invicti also enables you to create custom reports (see Custom Report Policies). This means you can change the vulnerability details, classification numbers, actions to take or add the logo of your organization
For further information, see Built-in Reports and Report Templates.