Netsparker’s 2020 in Review
Despite the many challenges of 2020, Netsparker has continued to improve its industry-leading black-box web security solution. We’ve been adding security checks, integrations, and cost-saving features to help companies optimize security operations. This article looks back on Netsparker’s 2020 and provides a sneak peek at upcoming features.
Despite the challenges of a global pandemic and economic uncertainty in 2020, Netsparker has continued to improve its industry-leading black-box web security solution. We’ve added more security checks while also allowing customers to integrate the scanner with more bug tracking tools – and all this while helping companies optimize costs in these trying times. This article looks back on Netsparker’s 2020 and provides a sneak peek at new features that are coming soon.
Trends in Web Application Security
While the world has struggled with many new challenges in 2020, not least the pandemic, trends in web application security have not changed much in the past year. Several trends continue to dominate the web application security sphere: growing numbers of web assets to be secured, acceleration of the shift from internal to cloud applications, a false sense of web security among executives, and a growing focus on DevSecOps.
Runaway Growth of Web Assets
The number of assets, web services, and IoT devices that organizations need to manage and protect has continued to increase. With disparate company assets all over the globe, companies have been struggling to keep track of their assets, which presents a major challenge for security teams.
In the old days, when companies had at most a dozen websites, they would typically hire pentesters to find any security holes in their handful of sites. Today, we are often talking about thousands of websites and multiple web technologies – to the extent that many organizations don’t even know how many websites they have. Modern tools like Netsparker can play a crucial role in helping even small security teams effectively discover assets and scan them for vulnerabilities. However, organizations still need to address all the issues that are found – and there could be thousands.
The Search for More Agile Security Workflows
In the long run, it is clear that the only practical way is to address security from early on in the development process or, in other words, to shift security left. To do this in an agile environment, companies are moving to DevSecOps – a software development methodology that integrates security checks and practices into DevOps processes to prevent security from becoming a bottleneck. However, many organizations still lack the workflow maturity needed to fully incorporate security into the software development lifecycle.
Accelerated Move to the Cloud
The existing shift from internal to cloud applications accelerated in 2020. As the coronavirus outbreak forced companies to embrace remote working as the default model, accessing and securing on-premises solutions has become more challenging. This has made web applications running on cloud platforms a viable business option while also making web application security a business-critical consideration.
Disconnect Between Web Security Theory and Practice
At the same time, our research has revealed a false sense of security in organizations across the board. We have found that executives take a far more optimistic view of web application security than security professionals. For example, 75% of executives believe that their organization scans all its web applications for vulnerabilities while nearly half of security staff say this is not the case. This can lead to overconfidence in the face of growing security threats.
Aware of all these trends, we have released a number of features that make it much easier for organizations to discover all their assets, identify vulnerabilities, and integrate Netsparker with bug tracking tools. In total, in 2020, we delivered 8 releases for Netsparker Enterprise and a massive 13 releases for Netsparker Standard!
New Security Checks
To detect more issues in your organization's web applications, Netsparker continues to introduce new security checks. To name just one high-profile issue, we moved quickly to add a check for a critical vulnerability in Oracle WebLogic Server. Many informational checks were also added, such as CDN checks to detect whether the scanned website is using popular CDN services to speed up the loading of source files or images.
For security checks to be truly effective, you need to reach every corner of your web application, particularly password-protected web pages. We added the form authentication custom script editor for Netsparker Enterprise to provide an intuitive way of configuring access for authenticated scans. To further improve scan coverage, we also added the pre-request scripting feature for modifying requests before they are sent.
Detecting vulnerabilities in your web application is a critical step, but once you’ve identified all the issues, you need to address them in a systematic way – a key requirement for DevSecOps. Issue tracker integration is vital to ensure that confirmed bugs go directly to the developers to be fixed. To make your life easier on that front, Netsparker added more integration tools to its inventory, such as Kenna, Freshservice, and Splunk. Netsparker now also supports two-way integration for Azure and ServiceNow.
A new integration with HashiCorp Vault brings Netsparker into the realm of privileged access management (PAM). HashiCorp Vault users can now run authenticated Netsparker scans without entering sensitive credentials outside the Vault. In the near future, PAM support in Netsparker will be expanded, with plans to introduce CyberArk as the next PAM integration.
Large-Scale User Management and Linux Support
While privileged access management is the key to protecting administrative accounts, coordinated security efforts also require efficient provisioning and management for regular users. To help with this, Netsparker now lets you use IdP-initiated SAML to automatically add Netsparker users based on single sign-on data from identity providers such as Azure and Google. In the near future, Netsparker will also add support for multiple teams and role-based privileges, allowing organizations to more closely align Netsparker user teams to their security requirements.
Another new feature that increases the flexibility of Netsparker is support for Linux scan agents. This provides additional options for companies looking to cut costs in the challenging conditions of 2020 without compromising security. To run an additional scan agent, you now have the choice of using a Windows or a Linux machine.
Customer Acclaim for Netsparker
Our efforts to actively help organizations worldwide improve their web application security have been recognized by our customers. Netsparker is proud to have been named an October 2020 Gartner Peer Insights Customers’ Choice for Application Security Testing. We have also gathered universal customer acclaim on G2.com, with our multiple accolades including High Performer, Fastest Implementation, and Best Support. We take great pride in these distinctions as customer feedback continues to shape our products and services.
Looking to the Future
Fueled by enthusiastic customer feedback, we continue to develop our products and services to maintain and extend our lead in the DAST market in 2021. Crucially, we plan to add IAST functionality that will allow users to dive deeper into detected issues. Beyond that, we will expand and improve many existing features, notably the discovery service to help organizations gain better visibility of their web assets. Netsparker will also drive R&D to help companies identify and categorize vulnerabilities, implementing AI/ML technologies for even more accurate asset identification and issue triaging.
Watch this space for new product developments that will keep Netsparker on the cutting edge of web application security and help organizations truly automate their web security workflows.
Disclaimer: Any forward-looking statements contained in the article are provided for information only and do not constitute any binding obligation or official declaration of feature availability.