There are several other advantages in having an exploitation engine in Netsparker.
For example, just like many other professions “showing” instead of “telling” works better. When you show the actual impact an exploited vulnerability might have to the management or to the developers, they will immediately understand how important the problem is. However they tend to ignore you when you only talk about vulnerabilities in a hypothetical level.
Secondly, developers can use the Netsparker exploitation engine to better understand how the vulnerability works. By learning more about detected vulnerabilities and the different ways they can be exploited, developers will get better at remediating them and also in writing more secure code in future projects.
Last but not least, since users do not need to verify the vulnerability scanner findings, web security scans can be performed by junior members of the team, thus senior members of the development team can focus on more important issues, such as fixing reported vulnerabilities.
What is the way forward for Netsparker and other web application security scanners?
Netsparker is already able to automatically exploit and verify the most commonly exploited vulnerabilities such as SQL injection, Cross-site scripting (XSS), Remote code execution, Remote file inclusion and many others. Therefore if Netsparker detects any of these vulnerabilities, rest assured that they are not false positives. Though there are some other vulnerabilities that at this stage Netsparker is still unable to verify automatically; therefore a lot of research is being done to discover new ways on how to automatically verify more types of web application vulnerabilities. And of course at the same time also find new ways to improve the existing verification checks.
As regards the other web application security scanners, I think all of us, including Netsparker should start focusing a bit more on finding new and innovative ways on how to verify our findings and avoid reporting false positives. Web vulnerability scanners are not what they used to be 5 years ago, they came a long way. Many of them can detect vulnerabilities that 5 years ago we didn’t think it was possible to detect using automated means. So from that aspect, all web security scanners as a whole improved. But by increasing automation, false positives also increased. So, what’s the point in increasing automation when penetration testers and web security experts still have to verify a scanner’s findings?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.