This quick start guide aims to get you oriented with Netsparker Enterprise. For this scenario, you will scan one of the test websites of Netsparker. Scanning a test website can give you an idea about the capabilities of Netsparker Enterprise.
Here are some of the things you will learn how to:
- Add a target website to your Netsparker Enterprise account
- Customize scan settings for your website
- Review scan results
- Integrate Netsparker Enterprise with an issue tracking system
- Create a scan report
Step 1: Adding a Target Website
Before scanning, you have to add a website to your Netsparker Enterprise account. To do this, from the main menu, select Websites > New Website. Then, you can enter the necessary information, such as name, URL, technical contact, and select Save. For further information, see Adding a Website in Netsparker Enterprise.
For the Agent Mode, you can select the Cloud when the website is not in your internal network and is accessible publicly from the internet. If you want to scan a website in your internal network, you can select the Internal mode and install an agent.
Step 2: Launching a Scan
Now that you’ve added your website for the security scanning, you can go ahead and launch a scan. To do this, from the main menu, select Scans > New Scan. Netsparker lets you start scanning with the default settings.
Using Default Settings
It provides many default configurations including Default Scan Policy with built-in Security Checks, Report Policy, Maximum Scan Duration, Scan Scope, Heuristic URL Rewrite Mode, and Notifications. This makes it easy to get started quickly. To understand the scan settings in-depth, see Creating a New Scan.
You may wish to go ahead with the default settings. After selecting the target website, you need to select Launch. Right after, Netsparker will begin scanning the website.
You can monitor the progress in real-time. Also, Netsparker will start reporting vulnerabilities as soon as it identifies them.
Using Customized Settings
What if you need to configure the scan settings and authentication? For this scenario, you need to enter authentication information so that Netsparker can crawl and attack password-protected web pages. To do so, select Form > Form Authentication. As the PHP test website has a straightforward login page, it is easy to configure.
Once you enter the login credentials, select Verify Login & Logout to make sure that Netsparker can crawl and attack these web pages. If your own website has a different configuration for authentication, see Overview of Authentication.
Next, you may wish to configure the Scan Scope. It lets you define what part of the website can be scanned. You can instruct Netsparker Enterprise to scan only the entered URL. That means only the supplied URL and the parameters on its page will be scanned.
Further, you can exclude a certain part of the website from the security scanning. You can do this thanks to the regular expression (RegEx). If you wish, you can also exclude the authentication web pages from the scan. When you select the Exclude Authentication Pages checkbox, Netsparker will exclude authentication-related web pages – such as login and logout – from the scan scope to prevent logging out during the scan. For further information, see Scan Scope.
Now, you may wish to configure the scan time window. As the PHP test website is in the production environment and is accessible by visitors, you may not want to cause any disruptions. So, you can instruct Netsparker to perform scanning within non-business hours. For further information, see Scanning Production Environments.
In addition to these customizations, you may add links to have a head start in scanning and configure notifications. To understand each setting and how to configure it, see Netsparker Enterprise Scan Options Fields.
Remember that scan duration may vary depending on the size of the web application and the variety of security checks enabled in the Scan Policy you’ve selected.
Step 3: Reviewing Scan Results
When Netsparker completes the security scanning, it notifies you with an email. In this scenario, the scanner warns you that the PHP test website is very insecure and requires immediate attention.
Now, select View the Report Online to see the scan summary. This page lists vulnerabilities grouped by severity levels. For further information, you can review the technical report to see whether the vulnerability identified by Netsparker is confirmed. Once you understand this vulnerability is confirmed, you can start working on the issue.
You may wish to select Update to assign this vulnerability to developers. Netsparker notifies them so that they can start working on this vulnerability. Or, you can select the Accepted Risk button and prefer not to work on it.
When you want to review the progress, you can select Issues > All Issues. This page provides you a quick overview of vulnerabilities. For example, Netsparker shows that the Blind SQL Injection is Fixed (Unconfirmed).
This means a remediation action has been taken on this issue, and the issue is updated as Fixed. Now, select Issues > Waiting for Retest. Netsparker notifies you that it is about to scan to confirm the remediation, and when the scan is completed, you’ll be notified.
If the issue is fixed, the issue's state will be automatically changed to Fixed (Confirmed); otherwise, Netsparker will change its status back to Present again and will assign it to the user who marked the issue previously as Fixed.
Want to create a team in Netsparker Enterprise? See Managing Team Members in Netsparker Enterprise.
Step 4: Integrating with Issue Tracking Tool
To handle issues easily, you may wish to integrate Netsparker Enterprise with an issue tracking system. Netsparker integrates with a wide range of software and tools that you can integrate into your existing SDLC processes, including vulnerability management systems, issue tracking systems, continuous integration systems, and web application firewalls. These tools help you to streamline the bug fixing processes.
For further information about integrations, you can see Integrations.
Let's say you set up an integration with Jira. So, you want Netsparker to report critical issues to Jira once the scan is completed. Then, you can assign issue(s) to developers directly from Jira. To do so, you can select Notifications > New Notification.
Then, you can configure bi-directional integration with Jira, so, when a developer fixes an issue and sends a merge request, Netsparker tests the fix to make sure that the issue is really fixed or not. If Netsparker still identifies an issue, it re-assigns the issue to the same developer. To configure this, you can select Integrations > New User Mapping. Then, select the Jira tab and complete the integration.
You can view this infographic to see how Netsparker works and which tools it integrates with.
Step 5: Creating a Scan Report
Suppose you’ve scanned php.testsparker.com and assigned the issues to developers. While they have been working on these issues, your managers may want to view the progress. So, you need to submit a report to them so that they can glance through the report and understand your progress.
To generate an executive summary, from the Recent Scans window, you can select Report from the relevant scan. Then, select Export.
From the Report drop-down, you can select the Executive Summary. From the Format drop-down, select PDF. Then, select Export.
What if developers want to view the progress on the website? Then, you can select the Detailed Scan Report from the Report drop-down and Export. For more information about different types of reports, see Reports.
This quick start guide aims to get you oriented with Netsparker Enterprise. Need more information about how to use Netsparker Enterprise? Visit https://www.netsparker.com/support. Still have questions? Contact firstname.lastname@example.org.