Mahesh's Blog

" It's hard to beat a person who believes in his or her own strength. And I believe in mine."

Saturday, November 22, 2014

Netsparker Cloud Online Security Scanner

Netsparker announced that their new online web application security service offering Netsparker Cloud is in its final stages of development and is available in BETA. This means that you can now apply for a free trial of Netsparker Cloud and check out all the new features to see how your business can benefit from them.

What is Netsparker Cloud?

As the name implies, Netsparker Cloud is a cloud based web application security and vulnerability scanner that any organization can use to scan websites and uncover any vulnerabilities and security flaws that could leave them and the business exposed to malicious attacks.
Netsparker Cloud is not just the next ordinary online scanner to hit the news. It has a number of enterprise level features which are specifically built to help large organizations, who have hundreds and even thousands of website ensure the security of all their websites in an easy and manageable way. And it is not just about the features; there is no doubt that the Netsparker Cloud scanning engine is one of the best out there because it is built around the already proven scanning engine of Netsparker Web Application Security Scanner.

A Bit of Netsparker History

For those of you who are not familiar with Netsparker and their web security scanner, Netsparker is a very young company. Most probably the youngest in the web application security industry but don’t under estimate it. The first version of Netsparker was released in early 2010. Since then Netsparker have taken great strides and their scanner have been continuously improving. In fact nowadays Netsparker Web Application Security Scanner is considered to be one of the market leaders in the industry. Its leading performance in terms of crawling capabilities and vulnerability detection is clearly shown in the latest independent web application security scanner comparison conducted by security expert Shay Chan, where Netsparker smoked the competition and lead the field, matching the performance of scanners that cost at least four times as much.
Apart from leading the field by being the scanner which identified most vulnerabilities, Netsparker also has its own unique cutting edge technology; automatic exploitation of vulnerabilities. What does this mean to you? It means that Netsparker is the first, and until now the only web application security scanner that does not report any false positives. And why should this be important to you?
Well it is very important, let me explain why. It is a well known fact that automated security tools generate a lot of false positives. Therefore users spend countless amount of hours verifying the scanner’s result to check which of the reported vulnerabilities are true or not. From the business, financial and operations point of views this does not make sense. I mean what is the use of having an automated tool when you have to manually verify it’s results? It defeats the whole scope of automation. Actually it raises the budget costs and hinders the process of securing web applications, not to mention that it actually leads to leaving a lot of vulnerabilities unchecked, as explained in False Positives The problem of false positives in web application security and how to tackle them.

A Deeper Look Into Netsparker Cloud

The Obvious, Scalability – Scan as Much as You Want When You Want

I won’t ramble much about this, but it is always worth a mention. There are a number of advantages that large organizations can leverage when using a cloud based products such as Netsparker Cloud. The most relevant is scalability. Large organizations have hundreds and thousands of web applications, and scanning them all and ensuring that none of them have any security flaws can be a bit of a nightmare, to say the least.
In fact many try to build their own inhouse web scanning solution but most of them fail because they are very difficult to maintain, do not scale well and are not as good as off the shelf scanners at detecting vulnerabilities. On the other hand with Netsparker Cloud large organizations can scan as much websites as they want when they want without hassling with on-premise software licenses or hardware on which to run it.

Always Up to Date

Imagine a new vulnerability is being exploited in the wild, like we have seen lately with Heartbleed and Shellshock. If your organization have their own in house solution, first a security check has to be developed, then tested and then implemented for the scanners to use. If you are using on-premise scanning software, you have to update all of the running instances prior to scanning all your websites. This might not be an issue if you have a few installations but if you are scanning hundreds and thousands of sites, then most probably you have quite a few installations. Updating a good number of installs is definitely not the way to go, because again it consumes a lot of resources and time.
On the other hand Netsparker Cloud is always up to date. As soon as a vulnerability is making headlines Netsparker’s engineers would have already added the security checks for it in Netsparker Cloud, so all you have to do is login and launch the security scans and if you are using groups, then this should be just a quick 1 minute job.

Multi User Environment

This is another must have enterprise feature; Netsparker Cloud multi user support. When you subscribe for a Netsparker Cloud account, you can create as much users as you want within that account. You can assign different privileges to each user, for example one can only view the scan results, one can launch security scans only and another can add new websites to Netsparker Cloud account.
This means that everyone involved in the process of securing web applications, including managers, supervisors, developers, testers and even consultants can login and do the job without the need to wait for instructions, hence ensuring any security issues are immediately remediated.

API and SDLC Integration

Netsparker Cloud also has an API that allows developers to configure new scans, modify existing scans, launch new scans and do almost anything else through it. Therefore integrating web application security scanning in your SDLC is not just possible now, but also very easy to do. There are several benefits to Integrating web application security scans throughout every stage of the SDLC.
For example when security is considered and thought for at every stage of the development of a website, you do not only have a more secure website but addressing security issues is much easier. When security is not thought for at the early stages of development, remediating vulnerabilities might be too costly if not impossible because the fundamentals of the design do not cater for such fixes.

Better Management of Your Web Application Security Program

Scanning websites and generating reports is one thing, but consolidating all the information and using it to remediate security flaws and improve the security of all the websites in a timely manner is another. When you use Netsparker Cloud all your web application security reports and data are centralized and can be easily accessible by all the team members, thanks to the multi user support. Hence developers can start remediating security flaws as soon as the scans are ready without the need to wait for the reports to pass through all the bureaucratic procedures.
Managers can also get an overview of the security state of all websites in their organizations through the different number of reports Netsparker Cloud has available. For example they can get an overview of a specific website from the website dashboard, where a number of graphs highlight the number and type of vulnerabilities identified on the website, as highlighted in the below screenshot.

Of course there are also developer reports which include extensive amount of details about each detected vulnerability including the vulnerable parameter, the payload used for testing and practical information on how to remediate the vulnerability.

There are also the correlated trending reports, which not only enable managers to get an overview of the current state of security of a website, but how it also evolved. Trending reports also allow managers to keep an eye on the performance of each developer because they highlight the changes in vulnerabilities throughout a number of scans. For example from such reports you can get an idea of when a vulnerability was identified for the first time in the web application, when it was fixed, when and if it reappeared again etc.

Netsparker Cloud is a Fully Configurable Scanner

One common problem users are wary of when using a cloud based product is lack of flexibility in terms of configuration. For example when comparing the online and on-premise editions of a particular software, the cloud based edition is typically very limited in terms of configuration and flexibility, mostly because many of the features were not ported. This is not the case with Netsparker Cloud; what can be configured in the scanner that is installed on computers, can be configured in its online counterpart Netsparker Cloud.

Netsparker Cloud Free Trial

There are many other neat features that make Netsparker Cloud an ideal solution for organizations of any size but it is not possible to mention them all in this article. Hence I recommend you to check out all the features for yourself and see how much your organization can benefit and save in terms of budget when using Netsparker Cloud. Start today and apply for a free Netsparker Cloud trial.

Summary – Cloudy Days Help Organizations Have More Secure Websites!

As we have just seen, organizations can benefit a lot when using Netsparker Cloud. Having said that we do not mean that on-premise software such as Netsparker Web Application Security Scanner is of no use anymore, actually there is still a lot of place for such software in the web application security ecosystem. It all depends on what your requirements are.
If you only have a few websites and a one man or small team, or if you frequently do penetration tests on the premises of your customers,  most of the time Netsparker Web Application Security Scanner is your tool of choice. On the other hand, if your hair is falling off because you cannot cope with the stress of managing the security of hundreds and thousands of web applications, then of course Netsparker Cloud is the way to go since it has got a good number of features that you can leverage to ease your daily job and ensure the security of all websites in your organization. Netsparker Cloud is also available as an on-premise solution, thus allowing you to also scan websites and portals that are only accessible from inside your network.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home