During his years as a penetration tester, Ferruh Mavituna had frequently felt the frustration that many in the industry suffer when they waste their time investigating and eliminating security vulnerabilities that are actually just false positives.
Ferruh had a vision of an automated scanning tool that could circumvent this waste by actively exploiting its detected vulnerabilities and thus prove, beyond doubt, that they are real. This vision began to take shape as early as 2006, when he habitually filled his off-duty hours with a variety of coding experiments to validate the merits of his ideas.
From the outset, Ferruh threw away the rule book and set about creating a product with its own revolutionary agenda. Like most software side projects, the development process entailed many frenzied bouts of midnight coding, each one edging the concept closer to its elusive goals.
But despite many early successes (some of which made Ferruh’s day job a whole lot easier) it wasn’t until three years later that the development finally shifted gears and moved a step closer to commercial reality. In mid 2009, with a working proof-of-concept completed, Ferruh teamed up with co-founders Peter Edgeler and Mark Lane to create Netsparker Limited - the company that would later come to be acknowledged as the birthplace of false positive free scanning.
Almost immediately the prototype was beta released to an audience of around 500 of Ferruh’s industry contacts in security. Buoyed by its enthusiastic reception, the team went on to refine the design over the coming months, and the first commercial version of the product we now call Netsparker was launched in early 2010.
Such was the demand for a product that really could deliver on the promise of false positive free scanning, that Netsparker became an almost overnight success and the company turned profitable after just four months of trading.
For Ferruh, this was just the beginning of a journey that would see Netsparker grow and mature, both technically and commercially. The technical team was expanded to include additional coders, as well as dedicated security research and QA staff, and the stage was set for an ambitious development programme that would see many more of Ferruh’s “bright ideas” translated into new and exciting Netsparker features.
Two years after inception, Netsparker’s unique approach has earned it a place of honour among the leading security scanning tools. It is now regularly awarded best-of-breed status by independent reviewers and, even more importantly, users love it.
But the story is far from complete. With a commitment to continuous innovation, the Netsparker development pipeline is already germinating the next set of ideas that will shape the future of automated scanning. Expect to witness the reality in a Netsparker version sometime soon.
“When we were evaluating web application security scanners, Netsparker was the scanner that identified most vulnerabilities without requiring any configuration changes. It also identified several SQL injection and cross-site scripting vulnerabilities that other scanners did not identify.”
Perry Mertens, Supervisor Auditor at ING EurAsia IT Audit Team
"This is probably the best web-app tool that I have ever seen. Of course, I am not a hacker... Really :) But I have reviewed some penetration test results and other tools, and of course I know a lot of hackers, so I can say that your tool covers all of the most important things."
Eli Jellenc, International Cyber Threat Analysis Manager at Verisign