The number of websites and web applications grows every year but so does the number of attackers attempting to exploit them. to protect their web assets, companies turn to web application security solutions to catch vulnerabilities in development and to monitor for new vulnerabilities as they are discovered.
Netsparker rebranded in 2020 as Invicti Security, but it continues to produce a web security scanner with strong vulnerability detection and exploitation features.
See below for a full review of Invicti for web application security:
The Web Application Security Market
The global market for the web application security market is estimated to be over $6 billion and growing more than 16% per year. As a private company, Invicti does not publicize full financials, but they claimed annual recurring revenue of more than $40 million in 2020.
The strongest competitors in the web application security market are IBM Corporation, Oracle, Veracode, Synopsis, and Qualys. However, the market is considered to be fragmented and highly competitive without any dominant products or solutions.
Invicti Key Features
Invicti web application security solutions scan websites, integrated applications, forms, and other embedded code deployed on a website. Invicti is designed for complex enterprise needs with a large number of scalable and automated features:
- Dynamic Application Security Testing (DAST) for:
- OS Command Injection
- Remote File Inclusion/SSRF
- Path Traversal
- SQL Injection
- Reflective or stored cross-site scripting (XSS)
- Unvalidated Redirect
- Out-of-Band Detection
- Interactive Application Security Testing (IAST)
- Continuously scan for web assets
- Crawl and investigate links, forms, and User Interface (UI) elements
- Scans unlinked, configuration, and hidden files
- Supply Chain Testing or Software Composition Analysis (SCA)
- Automatically detect and test open-source components
- Automatically detect and track versions and report on outdated components
- Manual Scanning Tools
- Perform additional testing on specific components
- Perform tests when automated scanning would be inappropriate or inefficient
- Perform tests on air-gapped development environments
- Efficient Reporting
- Integrate results from DAST, IAST, SCA, and manual testing and receive one report
- Track and manage all web technologies (language versions, libraries, etc.)
- Direct proof of indirect vulnerabilities
- Vulnerability Trend Matrix to compare scans over time on the same asset
- Reports and compliance checks for PCI DSS, OWASP Top 10, and HIPAA
- Integrate with many different issue tracking systems, project management systems, and more.
- Integrate with web application firewalls
Invicti Key Benefits
Invicti’s web application security tightens the security for deployed web assets. However, many of these tasks can be done manually or by competing products. What are the benefits of specifically using Invicti?
Know the Attack Surface
Reduce False Positives + Vulnerability Ratings
False positives waste developer and security team time. Invicti dramatically reduces false positives by using proof-based results that provide evidence of exploited vulnerabilities, not just possible vulnerabilities. All detected vulnerabilities will be ranked and detailed to allow for prioritization and immediate action.
Security teams must check applications for vulnerabilities and some tests can be tedious and repetitive. Using a web security scanner performs the basic tests for the security team. Automatic basic testing allows security teams to either push out apps faster because of hours saved or invest those hours into more complicated and sophisticated vulnerability tests. Combining various testing methods and delivering proof-based results increases the information available for each vulnerability, so developers spend less time looking for the source of vulnerabilities and more time fixing them.
Invicti Use Cases
ING Bank’s over 10,000 employees operate globally and provide customers with financial services, life insurance, and investment management services. To manage their business, ING deploys many different internal and external web applications. To secure these web apps against constant attacks ING needed a comprehensive solution that did not add difficulty.
Perry Mertins, audit supervisor for ING Insurance EURAsia, explains, “As opposed to other web application scanners we used, Invicti is very easy to use and does not require a lot of configuring. An out-of-the-box installation of Invicti Web Application Security Scanner can detect more vulnerabilities than any other web application security scanner we have used so far.”
The Oakland University WIlliam Beaumont School of Medicine deploys a number of websites and web applications used constantly by students, faculty, and their thousands of employees. The medical and personal data used by these apps needed to be tightly secured by an automated process that stayed up-to-date.
“Since the university’s web applications are frequently changing to adapt to the students’ and university’s needs — and because malicious attacks are becoming more sophisticated — it is important that we keep on scanning all of them frequently for the latest type of security threats to ensure that no vulnerabilities are left undetected,” says Dan Fryer, senior Windows system engineer, Oakland University.
Although a company of less than 50 employees, OpenCart provides a shopping cart web application installed on more than 300,000 websites. With so many customers depending upon a secure web application, OpenCart needed to scan their code deeply and quickly against a broad range of vulnerabilities.
“We are now more confident in our code thanks to scanning it with Invicti Enterprise,” says James Allsup, OpenCart project technical consultant. “Knowing that we can deploy a test site and have it scanned for the latest security threats in just minutes does help ensure that we keep the most recent releases as secure as possible.”
The web application security market contains many competitors offering a broad spectrum of specialties and services. Invicti stands out from their competitors through several key differentiators:
In independent third-party testing, Invicti performs better than other tested competitors. Inciti caught 100% of the vulnerabilities tested for OS Command Injection, Remote File Inclusion, Path Traversal, SQL Injection, Reflective XSS, and Unvalidated Redirects. It also did not create any false positives that could waste time for a development team.
Advanced Crawling Functions
Invicti’s technology will navigate and submit jQuery and AngularJS links, forms and UI elements on every page to protect against Cross-Site Request Forgery attacks, functionality issues, and forgotten domain links. The functions also support authentication, so that testing will be performed as a user would actually use the web app.
Developer Education, Integration, and Testing
Incorporating Invicti into development permits detection of vulnerabilities as code is committed. This provides rapid feedback to developers along with remediation advice and links to references. Invicti integrates with many different issue trackers, and when a developer marks a vulnerability as fixed, Invicti automatically retests the vulnerability to verify the fix.
Flexible and Scalable Testing
Invicti’s modular architecture separates scanning functions from scanning management. This allows the solution to deploy scans in a wide variety of development architectures quickly and easily. It also allows for automatic deployment and destruction of scanning agents on the AWS cloud.
Range of Testing Tools
Many web application security testing tools test for code vulnerabilities. Invicti combines DAST, IAST, SCA, and out-of-bands testing to check for complex vulnerabilities requiring independent DNS responders, complex timing, or multiple responses.
Pricing is per target site with unlimited users, roles, and privileges. Competitors cite pricing for a team version at $666 per month, and customers note that the product can be one of the most expensive solutions on the market; however, Invicti does not list pricing publicly. Pricing for this product is further complicated by the different potential deployment methods and optional add-on tools.
Although more expensive than average solution, Invicti’s developer integration, accurate and deep testing options, effective reporting, and attack surface identification provides enormous value. Organizations’ web applications continue to grow more complex and information managed by web apps only grows more valuable and regulated, such as personal information. For many, the price of failure through web app breaches exceeds the costs to test and remediate vulnerabilities in their code — and the justification for investing in Invicti’s solution becomes stronger.