Automatically Optimize Scan Policies for More Efficient and Speedy Scans

We have been working on the upcoming versions of Netsparker Desktop and Netsparker Cloud web application security scanners for some time now, and finally, the new features are taking shape. One of the new features I'd like to speak to you about today is the Scan Policy Optimizer.

What is the Scan Policy Optimizer?

The Scan Policy Optimizer is a wizard based optimizer that allows you optimize Netsparker's scan policies automatically.

Why Optimize Web Security Scan Policies?

Most modern custom built web applications are quite extensive in terms of functionality, so it can take an automated web application security scanner a considerable amount of time to scan them. There are many things you can do as a user to reduce the duration of an automated web security scan, such as optimizing the web scanner's scan policy.

Automated Optimization of Web Security Scan Policies

Even though optimized scan policies mean more efficient and speedy web security scans, many of us do not have the time to go through all the checks and determine which ones should be enabled or not during a specific scan, or we are too lazy to do it. So our automation obsessed gurus thought of automating most of the process via a simple wizard. Below you can find the procedures on how to

• optimize scan policies in Netsparker Desktop
• optimize scan policies in Netsparker Cloud

How to Optimize Scan Policies in Netsparker Desktop

1. Launch the Scan Optimizer Wizard

You can launch the Scan Policy Optimizer wizard by clicking the magic wand button next to the Scan Policy drop down menu in the Start a New Scan dialog. You can also launch the Scan Policy Optimizer from the Scan Policy Editor.

2. Select Operating System

Tick the operating system on which the target web application is running on.

3. Select Web Server Software

Tick the web server software the target web application is running on.

Note: If the target web application is running on a web server software that is not listed here Netsparker can still scan it. If a web server software is not listed it just means that there are no specific security checks for it and you can untick all web servers.

4. Select Application Server / Web Technology

Tick the application server the target web application is built on. If it is built using multiple application servers, tick all that apply.

Note: If the target web application is built with a web technology that is not listed here, Netsparker can still scan it. If a web technology is not listed it just means that there are no specific security checks for it and you can untick all application servers.

5. Select Database Server

Tick the database server the target web application is using. If multiple database servers are being used tick all that apply.

Note: If the target web application is using a database server that is not listed here, Netsparker can still scan it. If a database server is not listed it just means that there are no specific security checks for it and you can untick all application servers.

6. Configure Netsparker Resource Finder

In this step you can limit or disable the Resource Finder, which is a module that is used to guess not linked or hidden directories and other type of resources, such as old backup files. To disable the Resource Finder simply untick the option Enable Resource Finder. Alternatively you can limit the number of resources to look for in every folder from the Limit input field.

7. Configure Known Web Application Fingerprinting

Netsparker web application security scanners have a known web application fingerprinting module that is used to identify off the shelf web applications such as WordPress and Drupal. If it detects such a web application it will launch a number of specific security checks. If the target web application you are scanning does not have any such web applications installed you can safely disable the option Enable Web App Fingerprint.

8. Review the New Optimized Scan Policy

In the last step you can review all of the configured options. Should you need to make further changes use the Back button to navigate back to that option. Once ready name the scan policy and click Finish to save and use the scan policy during a web application security scan.

How to Optimize Scan Policies in Netsparker Cloud

1. Launch the Scan Policy Optimizer Wizard

You can launch the Scan Policy Optimizer wizard in Netsparker Cloud from two different locations; from the Optimized Policies mode in the Policies left hand side bar menu or by clicking the New Optimized Scan Policy  button in the Scan Policies page as shown in the screenshot below.

2. Select Operating System

Tick the operating system on which the target web application is running on.

3. Select Web Server Software

Tick the web server software the target web application is running on.

Note: If the target web application is running on a web server software that is not listed here Netsparker can still scan it. If a web server software is not listed it just means that there are no specific security checks for it and you can untick all web servers.

4. Select Application Server / Web Technology

Tick the application server the target web application is built on. If it is built using multiple application servers, tick all that apply.

Note: If the target web application is built with a web technology that is not listed here, Netsparker can still scan it. If a web technology is not listed it just means that there are no specific security checks for it and you can untick all application servers.

5. Select Database Server

Tick the database server the target web application is using. If multiple database servers are being used tick all that apply.

Note: If the target web application is using a database server that is not listed here, Netsparker can still scan it. If a database server is not listed it just means that there are no specific security checks for it and you can untick all application servers.

6. Configure Netsparker Resource Finder

In this step you can limit or disable the Resource Finder, which is a module that is used to guess not linked or hidden directories and other type of resources, such as old backup files. To disable the Resource Finder simply untick the option Enable Resource Finder. Alternatively you can limit the number of resources to look for in every folder from the Limit input field.

7. Configure Known Web Application Fingerprinting

Netsparker web application security scanners have a known web application fingerprinting module that is used to identify off the shelf web applications such as WordPress and Drupal. If it detects such a web application it will launch a number of specific security checks. If the target web application you are scanning does not have any such web applications installed you can safely disable the option Enable Web App Fingerprint.

8. Review the New Optimized Scan Policy

In the last step you can review all of the configured options. Should you need to make further changes use the Back button to navigate back to that option. Once ready name the scan policy and click Finish to save and use the scan policy during an online web application security scan.