New research shows how Netsparker’s Proof-Based Scanning cuts through uncertainty

Zbigniew Banach - Wed, 29 Sep 2021 -

Automatic application security testing used to be synonymous with uncertain results that always needed manual verification, but modern vulnerability scanners have put a definite end to that era. This post presents highlights from an Invicti white paper on the challenges of noise and uncertainty in dynamic application security testing – and Netsparker’s proven approach to extracting reliable data from scan results.

Your Information will be kept private.

New research shows how Netsparker’s Proof-Based Scanning cuts through uncertainty

When noise obscures vulnerabilities

On the face of it, writing some scripts to automate manual vulnerability tests seems relatively straightforward and is a routine part of penetration testing. The big challenge comes when you try to make an automated test work reliably across a wide variety of applications and environments. Without great care backed by years of experience, any inaccuracies and uncertainties are amplified across each phase of vulnerability scanning until the user is flooded with unreliable results.

Alert overload is a major burden for professionals in all areas of cybersecurity. Dealing with all the real issues is already a challenge in itself – and that’s without having to wade through endless false alarms to pick out the reports that really matter. To cut down on the noise, Netsparker optimizes each stage of scanning even before running the first vulnerability check. The scanner then safely executes finely-tuned test attacks and uses its embedded browser engine to simulate realistic user interactions for maximum accuracy. And best of all, over 94% of direct-impact vulnerabilities are confirmed automatically with no risk of error. This is Proof-Based Scanning in action.

Proven accuracy built on years of expertise

The idea behind Proof-Based Scanning is deceptively simple: if you can automatically exploit a vulnerability, then it is definitely real and not a false positive. However, implementing this basic principle in an enterprise-grade tool while ensuring safe and consistent performance requires years of painstaking security research and application development. Netsparker has been perfecting and expanding its vulnerability scanning engine for over a decade to deliver automatic confirmation of vulnerabilities with over 99.98% accuracy. In other words, when Netsparker marks a vulnerability as confirmed, the risk of it being  false positive is less than 2 in 10,000.

The specific type of confirmation and proof provided by Netsparker depends on the type of vulnerability. For many injection vulnerabilities, including SQL injection, Netsparker can safely execute an injected payload and extract sample data as a proof of exploit. For client-side vulnerabilities such as cross-site scripting (XSS), the built-in browser engine is used to execute test payloads and verify whether an exploit was successful. Again, fine-tuned attack patterns accumulated and repeatedly tested over many years of development are used to ensure accuracy.

Certainty makes all the difference

The bad reputation of early vulnerability scanners lives on in the minds of AppSec professionals. Many organizations still treat scan results as unreliable by default and double-check them manually, making it all but impossible to efficiently automate and scale application security testing. When any result could potentially be a false positive, you need to check everything before you can be certain.

Working with a vulnerability scanner that actually delivers accurate and reliable results turns the traditional approach to application security on its head. Proof-Based Scanning allows Netsparker to show and prove which results are real and exploitable vulnerabilities that your developers can start fixing right now with no manual verification. With out-of-the-box issue tracker integration, Netsparker will even create the tickets. Scan, report, assign, fix. And no noise, only measurable security improvements.

Eliminating uncertainty makes all the difference in security testing. To see how this is done in Netsparker and learn the inner workings of Proof-Based Scanning, get the full Invicti technical white paper How Netsparker Generates Proof to Avoid False Positives.

Your Information will be kept private.

Zbigniew Banach

About the Author

Zbigniew Banach

Technical Content Writer at Netsparker. Drawing on his experience as an IT journalist and technical translator, he does his best to bring web security to a wider audience on the Netsparker blog and website.