It’s been a busy year for everyone at Netsparker, with new product features, growing market share, and of course lots of content on the blog. With the New Year just around the corner, it’s the perfect time for a look back at 2020 on the Netsparker blog.
In the News
As the global headliner of 2020, COVID-19 made an appearance on the blog back in March when Netsparker decided (as one of the first in the software community) to offer complimentary licenses for pandemic responders. We also wrote about the first wave of pandemic-related cyberattacks and the special importance of cybersecurity in the new remote-first world.
The end of the year brought a more technical global threat in the form of the SolarWinds hack. We provided an early analysis of the attack and its unprecedented consequences for information security and the cybersecurity industry in general.
In more positive news, we were delighted to announce that Netsparker was named a Gartner Peer Insights Customers’ Choice for Application Security Testing. This accolade is especially important to us as it is based on customer reviews and confirms high levels of user satisfaction with our products and support.
Netsparker featured on Paul Asadoorian’s Security Weekly podcasts several times during the year. Netsparker founder and CEO Ferruh Mavituna spoke on topics relevant to enterprise web security, such as building a web application security program and measuring time-to-value in web security. He also debunked many of the myths around dynamic application security testing (DAST) tools and talked about the true capabilities of modern DAST products.
Netsparker security researcher Sven Morgenroth also appeared on the podcast, demonstrating more technical aspects of web security. This included a discussion of using HTTP security headers to provide an additional layer of security and a presentation of common vulnerabilities introduced when implementing JSON Web Tokens (JWTs).
Web Application Security Best Practices
Following existing best practices for web application security is a huge part of getting measurable results with limited resources. This year, we covered best-practice topics ranging from general system hardening to implementing Content Security Policy (CSP), defining cybersecurity metrics, and using threat modeling to anticipate attack vectors.
As web applications get ever more complex, scan automation and systematic vulnerability management are vital to ensure you cover all bases. Web API security is also becoming a crucial consideration and we published a how-to article on REST API scanning with Netsparker.
We started the year with a white paper discussing a critical topic for vulnerability scanning: the impact of false positives on web application security tools and workflows. Far from being a mere inconvenience, results tainted with false positives are impossible to automate at scale, making this the first challenge on the road to enterprise web security.
This was followed up by a white paper clearing up some misconceptions around the relationship between network security and web application security. Being a relative newcomer to the IT security industry, web application security is all too often overlooked by organizations focused on maintaining their mature network security programs.
We talk a lot about best practices and recommendations in web security, but how do they translate into reality? To find out, we commissioned a survey of IT security professionals and summarized the results in a report. Among other findings, we discovered that web application environments are far less secure than company executives believe.
A crucial advantage of Netsparker is its ease and speed of deployment coupled with a flexible architecture that can support a variety of customer setups. Our technical white paper Flexible Deployment Options with Netsparker Scan Agents shows the benefits of this architecture and demonstrates sample deployment scenarios.
All About DAST and Security Industry Trends
The potential of modern dynamic web application security testing is still underappreciated by many in the IT industry. To set the record straight, we have written about the versatility of modern DAST and its vital role for web security testing in the real world and for getting an overall view of your security posture. And if you’re ever wondered what’s so special about a “web zero-day”, we have a whole blog post on zero-days that separates the facts from the marketing.
The blog also featured behind-the-scenes posts about the inner workings and development of Netsparker, including an article that explains how Netsparker finds vulnerabilities and a piece about Netsparker’s web application advisory program. In another post, we laid out the many advantages that Netsparker’s game-changing Proof-Based Scanning™ technology brings to the table.
Addressing wider trends in cybersecurity, we have written about the challenges of ensuring IoT security and about the cybersecurity skills gap that makes accurate automation the only realistic way to secure thousands of web assets. API security also made another appearance in a post about the OWASP API Security Top 10.
Continuing our quest to build a web vulnerability knowledge base, we’ve covered a wide variety of vulnerabilities and attack techniques. Starting with topical issues, this included the critical remote code execution vulnerability in Oracle WebLogic Server, for which we quickly added a check and provided a detailed analysis.
No web security compendium would be complete without the big-name vulnerabilities of yesteryear. Of these, we covered the BEAST attack, the Heartbleed bug, and the POODLE attack that was the final nail in the coffin of SSL3. Interestingly, even though these should only be of historical interest, vulnerable websites can still be found out there for each and every one of them.
Turning to less spectacular but more practical vulnerabilities, we extended our coverage of injection attacks by adding posts about blind SQL injection, XXE injection, and NoSQL injection. Format string vulnerabilities and insecure direct object references (IDORs) were also featured.
On a more general note, we wrote about the importance of input validation errors as the root cause of nearly all injection attacks and presented an overview of integer overflow errors. Web shells also got their own article as a topic of major importance for security engineers and administrators alike. And finally, we featured a technical deep dive into the methods used to prevent cross-site scripting bugs when using the React framework.
More to Come in 2021
As hinted in last week’s blog post, we are expecting a wealth of exciting product features in the coming months. Naturally, we will be covering all the new technologies on the blog along with the benefits they bring to our users. We are also planning more technical articles on the latest web security research as well as continuing our educational series on typical vulnerabilities.
In this last post of the year, we can finally wave a long-awaited farewell to the many dramas and crises of 2020. On behalf of the whole Netsparker crew, we’d like to wish everyone a very happy New Year – and these trivial words have never sounded so hopeful.