Netsparker's 2016 in Review

Thu, 12 Jan 2017 - by Ferruh Mavituna

A highlight of what we have done in 2016 and what features and scanning capabilities we introduced in our web application security scanners.

2016 was a great year for Netsparker. We were the first (and only) web security scanner vendor to introduce a number of cutting-edge technologies that make it possible to effortlessly scan 100s and 1000s of websites, without the need to spend hours configuring the scanner or days verifying the vulnerability findings.

We have also introduced the monthly web application security scanner updates, been featured in a number of interviews and more, as highlighted in this overview post.

Automating and Scaling Up Web Vulnerability Scanning

The first Netsparker update we released in 2016 focused on automation and scalability. We developed features in the scanner to help users automate more of both the pre-scan (configuration) and post-scan (verifying the results). The February 2016 update of Netsparker scanner had:

Automatic recognition and configuration of URL rewrite rules: you do not need to know the URL rewrite configuration on the target, or configure the scanner to crawl and scan all the parameters on the target website.

Proof-Based Scanning^TM Technology: a technology that automatically generates a proof of exploit of the identified vulnerabilities, so you do not have to manually verify them. Here is a short two minute video on how this technology works.

In the February 2016 update of Netsparker web application security scanner we also released the:

fully responsive Netsparker Enterprise interface,
the Scan Policy Optimizer,
integration with bug tracking systems such as Github and Team Foundation Server,
and much more, as you can read in these release notes.

Monthly Web Security Scanner Updates

Since April 2016 we started releasing a monthly update of both Netsparker Desktop and Netsparker Enterprise. The advantage of monthly releases is that you do not have to wait four or more months to start using a new feature. If a feature is developed, it means it is needed and it will help you automate more, so we will release it once it is ready. Below are some of the highlights from the 2016 product updates:

Updated the scanning engine to automatically find vulnerabilities in Parameter-based navigation web applications,
Improved the scanning engine to better crawl and scan single page web applications (SPA)
Ability to export the web security scan results as ModSecurity WAF rules,
Updated the scanner to automatically scan REST APIs / RESTful web services,
Introduced the Report Policies in Netsparker Enterprise,
Added the HTTP Request Builder tool in Netpsarker Desktop, so you can create your own HTTP requests,
Rebuilt the Netsparker Enterprise Web Vulnerability Tracking System,
Added SMS and Email Notifications in Netsparker Enterprise, so you can be instantly alerted when critical vulnerabilities are identified on your web applications,

Apart from all the new features and scanner improvements, every month we are introducing new web vulnerability checks and improving the existing ones. We are also frequently adding new security checks such as checks for Subresource Integrity and Content Security Policy to help you build more secure web applications.

Published 21 Zero-day Vulnerability Advisories

In 2016 we publised 21 zero-day vulnerability advisories, some of which were in high profile WordPress plugins. Refer to the complete list of Netsparker advisories for more information on the identified vulnerabilities. You can also read the articles we published in previous years for some interesting statistics about the zreo-day vulnerabilities that our web application security scanner have found over the hears:

Free Netsparker Enterprise Scans, Interviews and More from Netsparker

In 2016 we have also announced free Netsparker Enterprise web vulnerability scans to open source projects. Several open source projects are already benefitting from this campaign, including OpenCart, who are featured in this web security case study. If you would like to use Netsparker Enterprise for free for your open source project, please get in touch.

Our CEO Ferruh Mavituna has also been interviewed several times during 2016. Starting with an interview in which he explains what is Netsparker at RSA in San Francisco, and then four more interviews on the popular security show Paul’s Security Weekly. You can watch all the interviews from the below links:

What’s in Store for Netsparker Web Security Scanner in 2017?

In 2016 we have made a lot of progress and going in 2017 the mantra will be the same; continue improving the Netsparker Enterprise and Netsparker Desktop editions of our web application security scanner both in terms of features, ease of use, automation and also scanning capabilities.

About the Author

Ferruh Mavituna

Ferruh Mavituna is the founder and CEO of Invicti Security, a world leader in web application vulnerability scanning. His professional obsessions lie in web application security research, automated vulnerability detection, and exploitation features. He has authored several web security research papers and tools and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti’s award-winning products, Netsparker and Acunetix.