What are you doing in Netsparker to eradicate false positives?
When we started designing Netsparker Web Application Security Scanner we wanted to build a tool that helps penetration testers find vulnerabilities without the need to verify detected vulnerabilities, by guaranteeing a false positive free scan.
How do we guarantee false positive free scans? It is the same with what penetration testers are doing manually. Try to exploit the identified vulnerability and if the exploitation is successful, then it is not a false positive. So we included an exploitation engine in Netsparker that automatically exploits detected vulnerabilities in a safe and read only way. If the vulnerability is exploitable Netsparker flags the vulnerability as a real vulnerability therefore penetration testers do not have to manually verify it.
And we didn’t stop there. To confirm that we are on the right track, and that the Netsparker exploitation engine works as advertised we made plenty of tests, i.e. security scans of live web applications and compared the findings to that of other well known scanners. We are proud to say that Netsparker was the only scanner that did not report any false positives, not to mention that it was also the scanner that detected most exploitable vulnerabilities. In fact the team reported several zero day vulnerabilities in open source web applications such as Joomla, MediaWiki and Twiki.
Apart from guaranteeing false positive free web security scans, are there any other advantages in having an exploitation engine in Netsparker?
There are several other advantages in having an exploitation engine in Netsparker.
For example, just like many other professions “showing” instead of “telling” works better. When you show the actual impact an exploited vulnerability might have to the management or to the developers, they will immediately understand how important the problem is. However they tend to ignore you when you only talk about vulnerabilities in a hypothetical level.
Secondly, developers can use the Netsparker exploitation engine to better understand how the vulnerability works. By learning more about detected vulnerabilities and the different ways they can be exploited, developers will get better at remediating them and also in writing more secure code in future projects.
Last but not least, since users do not need to verify the vulnerability scanner findings, web security scans can be performed by junior members of the team, thus senior members of the development team can focus on more important issues, such as fixing reported vulnerabilities.
What is the way forward for Netsparker and other web application security scanners?
Netsparker is already able to automatically exploit and verify the most commonly exploited vulnerabilities such as SQL injection, Cross-site scripting (XSS), Remote code execution, Remote file inclusion and many others. Therefore if Netsparker detects any of these vulnerabilities, rest assured that they are not false positives. Though there are some other vulnerabilities that at this stage Netsparker is still unable to verify automatically; therefore a lot of research is being done to discover new ways on how to automatically verify more types of web application vulnerabilities. And of course at the same time also find new ways to improve the existing verification checks.