Enabling Enterprise Application Security

Alvaro Warden, Worldwide Director, Channels & Partnerships at Invicti spoke to CXO DX about the company’s focus in the region to enable enterprise-grade application security testing

Elaborate about your application security testing solutions for the enterprise segment?

Invicti is an enterprise-grade application security testing platform that continuously discovers and tests all of an organization’s web applications and APIs and automates remediation workflows to help organizations mitigate risk. The platform combines advanced testing technologies – DAST, IAST, and SCA – with broad support for industry-standard authentication methods, short scan times, unparalleled accuracy through our proprietary proof-based scanning functionality, and integrations into DevSecOps workflows so that vulnerabilities can be remediated quickly and efficiently.

Invicti offers three packages to support enterprise use cases:

1) Standard: An on-premise desktop web vulnerability scanner

2) Enterprise: Available on-premise and in the cloud, web vulnerability scanner plus over 50 integrations to automate your CI/CD and SDLC

3) 360: Available on-premise and in the cloud and includes all of the capabilities above plus IAST and SCA

Do the SME segment businesses have enough awareness of the need to invest in application security testing solutions?

Invicti’s core capability, DAST (dynamic application security testing) is a well-established segment of security, and of application security specifically. Many organizations, especially those with compliance mandates, such as PCI-DSS–are well aware of the need for DAST. Invicti-sponsored research indicates that DAST will be 19% adopted in SMB, 29% adopted in mid-market, and 57% adopted in enterprise in 2024, suggesting a strong continuing market opportunity.

Looking at Invicti’s customer base, there is a large number of SME customers. The three most popular features for that segment are:

Proof-Based Scanning

Many application security testing solutions are prone to false positives, which makes security testing slower, less accurate, and much more frustrating. However, vulnerabilities that can be exploited are not false positives. Our proprietary proof-based scanning automatically confirms 94% of direct-impact vulnerabilities with a confirmation accuracy of 99.98% which means there is a false positive rate of less than 0.02%. Invicti provides safely extracted payloads in the scan results as proof that the finding can be exploited. This approach reduces the burden for security professionals that are overwhelmed with manual re-tests and serves to prioritize remediations for developers so they can get back to focusing on innovation.

Continuous Web Asset Discovery

Organizations can’t secure what they don’t know they have, and many drastically underestimate the number of websites, web services, APIs, and web applications they own. In a matter of seconds, Invicti’s automated asset discovery engine detects all of the publicly-facing web assets associated with an organization by leveraging a highly optimized database of global web assets to run its discovery queries. The discovery process can be customized using the organization’s domain as an initial input, enabling the user to exclude specific results or manually add domains for analysis. Invicti keeps track of the discovery status, automatically notifying the user when new publicly-facing web assets are detected – no user interaction required.

Technologies Dashboard

Invicti finds and lists all of the technologies used in and across your web applications so that you have a complete inventory of your applications’ technology stack. It provides an in-depth report, through the Technologies Dashboard, that indicates all of the applications in which out-of-date technologies or vulnerable components are in use, and automatically notifies the responsible users so that issues can be remediated. With visibility into where vulnerable components or outdated technologies are used in multiple applications, you are better able to prioritize and reduce time to remediation. With the rise in awareness around supply chain risk, the Technologies Dashboard is an invaluable tool in assisting in creating a comprehensive Software Bill of Materials (SBOM).

Describe the advantages of combining the DAST + IAST scanning approach

Invicti offers unique DAST-induced Interactive Application Security Testing for PHP, Java, .NET, and Node.js. Unlike passive IAST solutions that rely on functional testing or user interaction to crawl an application, our DAST+IAST approach offers unparalleled test coverage so that users can identify and fix more of the highest-impact vulnerabilities. This approach uniquely offers deeper insights into runtime issues while identifying and testing local assets that traditional crawlers can’t see. With an IAST sensor deployed locally in the runtime environment, the DAST scanner is given access to the full website structure – including unlinked and hidden files, as well as server-side configuration files – so it can completely map, crawl, and test all pages. This reduces time to remediation because IAST is able to pinpoint the exploitable vulnerabilities down to the line of code.

The IAST sensor (agent) continuously provides additional information about vulnerabilities and the application environment. Our IAST solution also enhances our proprietary proof-based scanning functionality as it monitors the scanning process and supplies extra information to deliver proof for even more vulnerabilities. This results in even fewer false positives and allows users to confidently automate more issues without the need for manual verification. In fact, our industry-leading proof-based scanning automatically confirms 94% of direct-impact vulnerabilities with a confirmation accuracy of 99.98%.

Scan results that include findings from IAST scanning are clearly marked within the vulnerability reports that can be accessed through the Invicti UI. These findings can be found in automatic trouble tickets providing developers with the issue location, details about the impact of the vulnerability, remediation guidance, and the safely extracted payloads to provide proof that the finding can be exploited.

 Why are false positives a challenge when it comes to scanning? How does proof based scanning from Invicti validate vulnerabilities and avoid false positives?

One of the biggest challenges we hear from our customers is the number of hours they spend chasing false positives. The more false positives a tool produces, the more inefficient an application security program becomes and ultimately the less effective a tool is. Further, application security is a collaboration between security/AppSec teams and development teams. In the case of false positives, if the AppSec team isn’t able to verify the vulnerability that means a developer wastes time chasing an issue that doesn’t exist which not only creates inefficiencies in development but subsequently erodes trust between developers and the AppSec team, undermining the success of the program.

Invicti includes our unique proof-based scanning that automatically confirms 94% of direct-impact vulnerabilities with a confirmation accuracy of 99.98%, which means there is a false positive rate of only 0.02%. Invicti provides safely extracted payloads in the scan results as proof that the finding can be exploited.

While extracting sample data is only possible for some types of vulnerabilities, Invicti also provides confirmation and proof for many other issues, including variants of cross-site scripting (XSS). Whenever the scanner detects a vulnerability that can be safely exploited, it generates and executes test payloads within the vulnerable application context. When successful, these attacks prove that the vulnerability is real, so the payload is reported as a proof of concept (PoC). Seeing the actual attack payload is especially useful for reproducing and fixing the underlying issue.

Invicti only provides a confirmation and PoC if the attack is successfully executed in the embedded browser environment. This reduces false positives caused by scanners mistaking valid responses for vulnerable behaviors and works for many types of vulnerabilities, including issues where the proof had to be exfiltrated out-of-band. If it is possible to directly replay the attack in-band and without special context, a proof URL is additionally provided for convenience.

Invicti’s proof-generating payloads don’t perform simple string echos, but more complex operations that only return the expected result if the attack point is indeed vulnerable. For example, when investigating an XSS vulnerability, Invicti will attempt to execute a confirmation payload that includes a randomly-chosen arithmetic operation. DOM simulation is used to check if the payload triggers the expected interfaces to deliver the correct result of the calculation. For DOM-based XSS, Invicti reports stack traces from its internal DOM simulation to confirm the vulnerability and provide developers with detailed debugging information.

Elaborate your focus on the Middle East market?

The Middle East and Africa (MEA) region is experiencing a significant digital transformation across various industries, including finance, healthcare, energy and government.  Each of these sectors has unique application security requirements, making it critical that best of breed and specialized solutions are implemented.  As organizations adopt more digital technologies, the need for robust application security solutions becomes critical to protect sensitive data and ensure business continuity.  From a regulatory compliance perspective, many countries in the MEA region are implementing or enhancing data protection and privacy regulations where compliance requires robust application security measures.

MEA is a strategic growth region for Invicti Security, and we have a strong network of channel partners who are able to further enhance the customer experience and foster trust within the market via local language support and differentiated services delivery, allowing us to more effectively serve these markets, reach new customers, and expand our mutual footprint in the most rapid manner possible. We will continue to invest heavily in further developing our presence in MEA.

Discuss the highlights of your showcase and participation at Black Hat?

Our expectation is that the market exposure Black Hat provides, along with networking opportunities with industry peers, our partners and potential customers, will enhance our visibility within the market and connect us with those companies actively seeking our software solution. We very much value the in-person collaboration with our local channel partners and systems integrators, as they continue to help accelerate the distribution and adoption of Invicti’s best of breed DAST solution within the market.