Netsparker's Web Application Security Blog

CWE/SANS Top 25 Software Errors for 2019

Category: Web Security Readings - Last Updated: Fri, 03 Jan 2020 - by Zbigniew Banach
CWE/SANS Top 25 Software Errors for 2019

In September 2019, a new CWE/SANS Top 25 Most Dangerous Software Errors list was published for the first time since 2011. Unlike previous lists, it was calculated by analyzing reported vulnerabilities to determine underlying weaknesses, so it is especially valuable for developers and software security professionals. This article looks at the top-rated software weaknesses and shows how they apply in practice to web application security. Read More

Netsparker’s 2019: The Year in Review

Category: News - Last Updated: Fri, 27 Dec 2019 - by Zbigniew Banach
Netsparker’s 2019: The Year in Review

2019 has been a very special year for Netsparker, as we celebrated our 10th anniversary. For the past 10 years, our revolutionary web vulnerability scanner has been helping organizations of all sizes worldwide to eliminate vulnerabilities, reduce costs, and embrace automation. We’ve also been busy with industry events, security research, whitepapers, and blog articles – so please join us for a look back at this year’s highlights and most popular content. Read More

Season's Greetings

Category: Web Security Readings - Last Updated: Tue, 24 Dec 2019 - by Netsparker Team
Season's Greetings

The entire Netsparker team would like to wish you all the best in the upcoming holiday season. Whether you are celebrating Christmas, Hanukkah, Kwanzaa, Yule, Las Posadas, or simply taking the time off to rest, may you spend it with those who are closest to you. Read More

How DNS Cache Poisoning Attacks Work

Category: Web Security Readings - Last Updated: Fri, 13 Dec 2019 - by Zbigniew Banach
How DNS Cache Poisoning Attacks Work

DNS cache poisoning attacks try to fool applications into connecting to a malicious IP address by flooding a DNS resolver cache with fake addresses corresponding to requested domain names. If the attacker succeeds in filling the DNS cache with false data, the resolver might return a spoofed address instead of querying for the real one. As a result, the user might connect to a malicious site at the address returned from the cache. Let’s see why DNS spoofing is possible and how you can mitigate the threat. Read More

Ferruh Mavituna Talks About Building a Realistic Web Security Program on Enterprise Security Weekly #164

Category: Web Security Readings - Last Updated: Tue, 10 Dec 2019 - by Allen Baird
Ferruh Mavituna Talks About Building a Realistic Web Security Program on Enterprise Security Weekly #164

Netsparker CEO Ferruh Mavituna is interviewed on Enterprise Security Weekly about how to start building a realistic web security program in enterprises. He discusses the shift-left approach by which security is built into the application at an earlier stage, and how to reach this stage in a safe, prioritized and persuasive way. Read More

Progress Panel Improvements

Category: Product Docs & FAQS - Last Updated: Thu, 05 Dec 2019 - by Ugur Aldanmaz
Progress Panel Improvements

The Progress panel displays information about scan speed and progress, including how far your scan has progressed. The Netsparker Standard 5.5 November 2019 Update introduced improvements that help you better estimate the remaining scan time. Read More

Understanding Reverse Shells

Category: Web Security Readings - Last Updated: Tue, 03 Dec 2019 - by Zbigniew Banach
Understanding Reverse Shells

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the attacker’s host. Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack. Reverse shells can also work across a NAT or firewall. This article explains how reverse shells work in practice and what you can do to prevent them. Read More

South Dakota Bureau of Information and Telecommunications (SD BIT) Deploys Netsparker to Secure Residents’ Personal Data

Category: News - Last Updated: Tue, 26 Nov 2019 - by Dawn Baird
South Dakota Bureau of Information and Telecommunications (SD BIT) Deploys Netsparker to Secure Residents’ Personal Data

South Dakota Bureau of Information and Telecommunications conducted research and trials for a web application scanner to solve their internal and external security needs. They chose Netsparker because of its ease of use, superior accuracy, support knowledge base, meaningful reports and responsive team, enabling quicker security fixes. Read More

Top 10 Cybersecurity Trends to Look Out For in 2020

Category: Web Security Readings - Last Updated: Tue, 19 Nov 2019 - by Zbigniew Banach
Top 10 Cybersecurity Trends to Look Out For in 2020

2019 has seen cybersecurity issues firmly take their place in the news, both for the technology industry and the general public. While organizations are increasingly aware of the importance of cybersecurity, most are struggling to define and implement the required security measures. In this article, we take a look at 10 cybersecurity trends that are likely to shape the cybersecurity landscape in 2020, from data breaches and IT security staff shortages to security automation and integration. Read More

Red Team Vs Blue Team Testing for Cybersecurity

Category: Web Security Readings - Last Updated: Thu, 14 Nov 2019 - by Zbigniew Banach
Red Team Vs Blue Team Testing for Cybersecurity

Red team versus blue team exercises simulate real-life cyberattacks against organizations to locate weaknesses and improve information security. In this wargaming approach, the red team are the attackers and they attempt to infiltrate an organization’s digital and physical defenses using any attack techniques available to real attackers. The blue team’s job is to detect penetration attempts and prevent exploitation. Red team vs blue team exercises can last several weeks and provide a realistic assessment of an organization’s security posture. Read More

Why Static Code Analysis Is Not Enough to Secure Your Web Applications

Category: Web Security Readings - Last Updated: Thu, 07 Nov 2019 - by Zbigniew Banach
Why Static Code Analysis Is Not Enough to Secure Your Web Applications

Static code analysis tools are used to automatically check source code for errors and security vulnerabilities, as well as ensure compliance with coding standards. While effective for some classes of vulnerabilities, they have a number of disadvantages and limitations, especially for web applications. Dynamic analysis solutions address many of these problems and can complement or replace static tools. This article looks at some of the shortcomings of static analysis and shows how deploying dynamic analysis tools can help you improve web application security. Read More